libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks

libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks

A new security flaw has been disclosed in the libcue library impacting GNOME Linux systems that could be exploited to achieve remote code execution (RCE) on affected hosts.

Tracked as CVE-2023-43641 (CVSS score: 8.8), the issue is described as a case of memory corruption in libcue, a library designed for parsing cue sheet files. It impacts versions 2.2.1 and prior.

libcue is incorporated into Tracker Miners, a search engine tool that’s included by default in GNOME and indexes files in the system for easy access.

“A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage,” according to a description of the vulnerability in the National Vulnerability Database (NVD).

“Because the file is saved to ‘~/Downloads,’ it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution.”

The disclosure arrives two weeks after GitHub released comprehensive details about CVE-2023-3420, a high-severity type confusion vulnerability in the Google Chrome V8 JavaScript engine that enables remote code execution (RCE) in the renderer sandbox of the web browser by visiting a malicious site.

“Vulnerabilities like this are often the starting point for a ‘one-click’ exploit, which compromise the victim’s device when they visit a malicious website,” security researcher Man Yue Mo said. “A renderer RCE in Chrome allows an attacker to compromise and execute arbitrary code in the Chrome renderer process.”