Double Free vulnerability in Nothings Stb Image.h v.2.28 allows a remote attacker to cause a denial of service via a crafted file to the stbi_load_gif_main function. https://gist.github.com/peccc/d8761f6ac45ad55cbd194dd7e6fdfdac https://github.com/peccc/double-stb
Created stb tracking bugs for this issue: Affects: epel-all [bug 2246322] Affects: fedora-all [bug 2246321]
This CVE appears to duplicate GHSL-2023-150/CVE-2023-45666 (bug 2246112) and GHSL-2023-148/CVE-2023-45664 (bug 2246106).
Additionally, the description as a remote denial of service is misleading: stb_image is a library that contains no network code of its own; a remote denial of service is possible when a specific application uses it to read untrusted images obtained via a network, but not, for example, if a game uses it to load its own “trusted” assets.