libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks


A new security flaw has been disclosed in the libcue library impacting GNOME Linux systems that could be exploited to achieve remote code execution (RCE) on affected hosts.

Tracked as CVE-2023-43641 (CVSS score: 8.8), the issue is described as a case of memory corruption in libcue, a library designed for parsing cue sheet files. It impacts versions 2.2.1 and prior.

libcue is incorporated into Tracker Miners, a search engine tool that’s included by default in GNOME and indexes files in the system for easy access.

The problem is rooted in an out-of-bounds array access in the track_set_index function that allows for achieving code execution on the machine simply by tricking a victim into clicking a malicious link and downloading a .cue file.

“A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage,” according to a description of the vulnerability in the National Vulnerability Database (NVD).

Read more…