{"id":"CVE-2019-20446","details":"In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.","modified":"2026-04-16T04:38:26.002036575Z","published":"2020-02-02T14:15:10.523Z","related":["ALSA-2020:4709","SUSE-SU-2020:0604-1","SUSE-SU-2020:0629-1","SUSE-SU-2020:0629-2","openSUSE-SU-2020:0343-1","openSUSE-SU-2024:10986-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221111-0004/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4436-1/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html"},{"type":"ADVISORY","url":"https://gitlab.gnome.org/GNOME/librsvg/issues/515"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/librsvg","events":[{"introduced":"0"},{"fixed":"13fbcd136977f3e765e22181404aafa59f8d8fb3"},{"introduced":"2465e1bfc0aab8d03fb4a2c3a6b6cc110fcbde98"},{"fixed":"6c1c962f063f36b6c317e08af5af77a861e789ae"},{"introduced":"18a4f166c4faf590988823c472bd0333fcf7d1e7"},{"fixed":"d6139dc6e36714486c093a0ee8a83794d1787787"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.40.21"},{"introduced":"2.42.0"},{"fixed":"2.42.8"},{"introduced":"2.44.0"},{"fixed":"2.44.16"}]}}],"versions":["2.34.0","2.34.1","2.35.0","2.35.1","2.35.2","2.36.0","2.36.1","2.36.2","2.36.3","2.36.4","2.37.0","2.39.0","2.40.0","2.40.1","2.40.10","2.40.11","2.40.12","2.40.13","2.40.14","2.40.15","2.40.16","2.40.17","2.40.18","2.40.19","2.40.2","2.40.20","2.40.3","2.40.4","2.40.5","2.40.6","2.40.7","2.40.8","2.40.9","2.42.0","2.42.1","2.42.2","2.42.3","2.42.4","2.42.5","2.42.6","2.42.7","2.44.0","2.44.1","2.44.10","2.44.11","2.44.12","2.44.13","2.44.14","2.44.15","2.44.2","2.44.3","2.44.4","2.44.5","2.44.6","2.44.7","2.44.8","2.44.9","GNOME_2_4_BRANCHPOINT","LIBRSVG_0_0_1","LIBRSVG_1_0_0","LIBRSVG_1_0_1","LIBRSVG_1_0_ANCHOR","LIBRSVG_1_1_1","LIBRSVG_1_1_2","LIBRSVG_1_1_3","LIBRSVG_1_1_4","LIBRSVG_1_1_5","LIBRSVG_1_1_6","LIBRSVG_2_0_1","LIBRSVG_2_1_0","LIBRSVG_2_1_1","LIBRSVG_2_1_2","LIBRSVG_2_1_3","LIBRSVG_2_1_4","LIBRSVG_2_1_5","LIBRSVG_2_22_3","LIBRSVG_2_26_2","LIBRSVG_2_26_3","LIBRSVG_2_2_0","LIBRSVG_2_31_0","help","librsvg-2-13-3","librsvg-2-13-90","librsvg-2-13-93","release-2-2-4","release-2-2-5","release-2-3-0","release-2-4-0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20446.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}