{"id":"CVE-2023-44488","details":"VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.","modified":"2026-04-16T04:30:48.952869266Z","published":"2023-09-30T20:15:10.200Z","related":["ALSA-2023:5537","ALSA-2023:5539","ALSA-2023:6187","ALSA-2023:6188","ALSA-2023:6191","ALSA-2023:6194","SUSE-SU-2024:2409-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-04"},{"type":"ADVISORY","url":"https://github.com/webmproject/libvpx/releases/tag/v1.13.1"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5518"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2023/09/30/4"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TE7F54W5O5RS4ZMAAC7YK3CZWQXIDSKB/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2241806"},{"type":"FIX","url":"https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f"},{"type":"FIX","url":"https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937"},{"type":"FIX","url":"https://github.com/webmproject/libvpx/compare/v1.13.0...v1.13.1"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00001.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webmproject/libvpx","events":[{"introduced":"0"},{"fixed":"10b9492dcf05b652e2e4b370e205bd605d421972"},{"fixed":"263682c9a29395055f3b3afe2d97be1828a6223f"},{"fixed":"df9fd9d5b7325060b2b921558a1eb20ca7880937"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.13.1"}]}}],"versions":["v0.9.0","v0.9.1","v0.9.6","v0.9.7","v0.9.7-p1","v1.0.0","v1.10.0-rc1","v1.13.0","v1.13.0-rc1","v1.2.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T04:43:57Z","vanir_signatures":[{"id":"CVE-2023-44488-00043731","deprecated":false,"target":{"file":"test/resize_test.cc"},"digest":{"threshold":0.9,"line_hashes":["222294996861201494531563221115526181830","177905442242017154764135092917670987263","296724635726239450151188088484457977547","239526560363414815411427251471114210813","280264804579290740107140485224924599482","144349025532577011718562765009437570731","316910969817943378999824533302179504849","161960282496103445579723084322288077455","337115596510057977265545488667594329807","143669365957967526086866222666248318510","155529621569970989173321266156303962503","206269327044260984591032794736675601133"]},"signature_type":"Line","source":"https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f","signature_version":"v1"},{"id":"CVE-2023-44488-606c734a","deprecated":false,"target":{"file":"vp9/common/vp9_alloccommon.c"},"digest":{"threshold":0.9,"line_hashes":["201803964402216507343490433769062691564","274359627004548197944293149534218664050","82892325136555187310924762098086198755","186316245402164727720295036670925056262","205194836444687988294513798140418440085","106415616385182659408988276268465431039","293937144073492810335523885571568587868","70871289163148326534620694842503059032","24766894206750828597041146145704692213","207284718232163746410487328441090732861"]},"signature_type":"Line","source":"https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937","signature_version":"v1"},{"id":"CVE-2023-44488-61e3a23f","deprecated":false,"target":{"file":"vp9/common/vp9_alloccommon.c","function":"vp9_alloc_context_buffers"},"digest":{"function_hash":"39263615157591346240588001092418643047","length":1143},"signature_type":"Function","signature_version":"v1","source":"https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f"},{"id":"CVE-2023-44488-78cf689e","deprecated":false,"target":{"file":"test/resize_test.cc"},"digest":{"threshold":0.9,"line_hashes":["222294996861201494531563221115526181830","177905442242017154764135092917670987263","296724635726239450151188088484457977547","239526560363414815411427251471114210813","280264804579290740107140485224924599482","144349025532577011718562765009437570731","316910969817943378999824533302179504849","161960282496103445579723084322288077455","337115596510057977265545488667594329807","143669365957967526086866222666248318510","155529621569970989173321266156303962503","206269327044260984591032794736675601133"]},"signature_type":"Line","signature_version":"v1","source":"https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937"},{"id":"CVE-2023-44488-909193b2","deprecated":false,"target":{"function":"ScaleForFrameNumber","file":"test/resize_test.cc"},"digest":{"function_hash":"288963996531984184536244424477045288365","length":2180},"signature_type":"Function","signature_version":"v1","source":"https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f"},{"id":"CVE-2023-44488-9cb458ac","deprecated":false,"target":{"file":"vp9/encoder/vp9_encoder.c"},"digest":{"threshold":0.9,"line_hashes":["297536733178013336173845220589622016262","310964825139288665161260973936441401479","172762087294317778397252765352531062212","335085056618071635204026208355251742043","275728933378211126258945904894723629237","277167508445064379967046790202939206440","22709030589833323417308096164073662712","211631338260170564770258418724506139852","230254996296603836217313589530369739093","312723164149999531686344208481768764041","240017725614467990035700092198035457655","231690860587987209475558095845170944107"]},"signature_type":"Line","source":"https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f","signature_version":"v1"},{"id":"CVE-2023-44488-a56cc93e","deprecated":false,"target":{"file":"vp9/common/vp9_alloccommon.c"},"digest":{"threshold":0.9,"line_hashes":["201803964402216507343490433769062691564","274359627004548197944293149534218664050","82892325136555187310924762098086198755","186316245402164727720295036670925056262","205194836444687988294513798140418440085","106415616385182659408988276268465431039","293937144073492810335523885571568587868","70871289163148326534620694842503059032","24766894206750828597041146145704692213","207284718232163746410487328441090732861"]},"signature_type":"Line","source":"https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f","signature_version":"v1"},{"id":"CVE-2023-44488-ac721d10","deprecated":false,"target":{"function":"vp9_alloc_context_buffers","file":"vp9/common/vp9_alloccommon.c"},"digest":{"function_hash":"39263615157591346240588001092418643047","length":1143},"signature_type":"Function","signature_version":"v1","source":"https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937"},{"digest":{"function_hash":"217232019533202777357522145330625855591","length":3833},"deprecated":false,"target":{"function":"vp9_change_config","file":"vp9/encoder/vp9_encoder.c"},"id":"CVE-2023-44488-b36b8fee","signature_type":"Function","source":"https://github.com/webmproject/libvpx/commit/263682c9a29395055f3b3afe2d97be1828a6223f","signature_version":"v1"},{"id":"CVE-2023-44488-bd976bf6","deprecated":false,"target":{"file":"vp9/encoder/vp9_encoder.c"},"digest":{"threshold":0.9,"line_hashes":["297536733178013336173845220589622016262","310964825139288665161260973936441401479","172762087294317778397252765352531062212","335085056618071635204026208355251742043","275728933378211126258945904894723629237","277167508445064379967046790202939206440","22709030589833323417308096164073662712","211631338260170564770258418724506139852","230254996296603836217313589530369739093","312723164149999531686344208481768764041","240017725614467990035700092198035457655","231690860587987209475558095845170944107"]},"signature_type":"Line","source":"https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937","signature_version":"v1"},{"digest":{"function_hash":"217232019533202777357522145330625855591","length":3833},"deprecated":false,"target":{"file":"vp9/encoder/vp9_encoder.c","function":"vp9_change_config"},"id":"CVE-2023-44488-cb7b7c7b","signature_type":"Function","source":"https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937","signature_version":"v1"},{"id":"CVE-2023-44488-f23d0b8e","deprecated":false,"target":{"function":"ScaleForFrameNumber","file":"test/resize_test.cc"},"digest":{"function_hash":"288963996531984184536244424477045288365","length":2180},"signature_type":"Function","source":"https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937","signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-44488.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}