Overview
CVE-2020-37239 is a critical memory safety vulnerability (CVSS 9.8) in libbabl 0.1.62, the pixel format translation library used widely in graphics applications — most notably GIMP and GEGL. The library implements a custom double-free detection mechanism, but it contains a fundamental design flaw: when a chunk is freed, libc's internal malloc metadata overwrites babl's detection signature in the freed memory region. A subsequent call to babl_free() on the same pointer no longer finds the expected signature and therefore fails to raise an error, silently allowing the double-free to proceed.
Technical Details
libbabl's babl_free() stores a canary signature in freed memory chunks as a guard against accidental double-free. The flaw is that after free() returns control to libc, libc's allocator immediately repurposes part of the freed chunk's header for its own bookkeeping metadata — overwriting babl's signature. A second babl_free() call on the same address then reads the memory region, finds no recognizable signature (libc has overwritten it), concludes the pointer has not been freed before, and proceeds to call free() a second time.
This silent bypass has several consequences:
- Heap corruption — double-freeing corrupts malloc's internal free-list structures.
- Use-after-free conditions — dependent code may later dereference reallocated memory.
- Potential code execution — on systems where heap layout can be groomed, corrupted metadata can be exploited to redirect execution.
Why the guard fails
1. babl_free(ptr) → writes signature into *ptr, calls free(ptr)
2. libc free(ptr) → overwrites *ptr with its own bookkeeping metadata
3. babl_free(ptr) → reads *ptr, finds NO babl signature → assumes safe
4. → calls free(ptr) again → DOUBLE FREE, heap corruption
Affected Products
| Library | Version |
|---|---|
| libbabl | 0.1.62 |
Applications built against this version of libbabl may expose the vulnerability when processing untrusted image data.
Impact
An attacker who can supply maliciously crafted pixel data to an application using libbabl may be able to trigger double-free conditions leading to heap corruption. In a worst-case scenario, heap layout manipulation could yield arbitrary code execution in the context of the processing application. Applications commonly affected include image editors, thumbnail generators, and media processing pipelines that pass untrusted user content through GEGL or GIMP-derived libraries.
CVSS Score
| Metric | Value |
|---|---|
| Base Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
Remediation
- Upgrade libbabl — update to a version where the double-free detection mechanism correctly accounts for libc metadata overwriting.
- Compiler hardening — build with
-D_FORTIFY_SOURCE=2and address sanitizer (-fsanitize=address) in development to catch double-free conditions early. - Sandbox image processing — run untrusted image processing in an isolated process or container with restricted privileges.
- Audit callers — review code that calls
babl_free()to ensure no shared pointer ownership patterns create double-free opportunities.