CVE-2023-43281: 
Linux Fedora vulnerability analysis and mitigation

A Double Free vulnerability was discovered in Nothings Stb Image.h version 2.28, identified as CVE-2023-43281. The vulnerability allows a remote attacker to cause a denial of service through a crafted file targeting the stbiloadgif_main function (NVD, GitHub Advisory).

The vulnerability exists in the stbiloadgifmain function, which is called by stbiloadgiffrommemory and is used to parse GIF image format files. The issue occurs when stride*layer = 0 (when g.w, g.h, or layer is 0), causing a double free condition. The first free happens when outsize = 0 in the STBIREALLOCSIZED function, and the second free occurs in the stbi_loadgifmainoutofmem function. The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (Double STB).

The primary impact of this vulnerability is a denial of service condition, particularly after glibc 2.28 which implements double free detection, causing program crashes. In specific circumstances, this vulnerability could potentially lead to more severe exploitation, such as code execution (Double STB).

The vulnerability has been addressed in subsequent updates. Fedora has released security fixes for versions 37, 38, and 39 of the affected package. Users are advised to update their systems using the package manager with the appropriate advisory (Fedora Update).