Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2020-37239: libbabl 0.1.62 Broken Double-Free Detection
CVE-2020-37239: libbabl 0.1.62 Broken Double-Free Detection

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2020-37239

CVE-2020-37239: libbabl 0.1.62 Broken Double-Free Detection

A critical CVSS 9.8 memory safety flaw in libbabl 0.1.62 allows attackers to call babl_free() twice on the same pointer without triggering the library's...

Dylan H.

Security Team

May 16, 2026
3 min read

Affected Products

  • libbabl 0.1.62

Overview

CVE-2020-37239 is a critical memory safety vulnerability (CVSS 9.8) in libbabl 0.1.62, the pixel format translation library used widely in graphics applications — most notably GIMP and GEGL. The library implements a custom double-free detection mechanism, but it contains a fundamental design flaw: when a chunk is freed, libc's internal malloc metadata overwrites babl's detection signature in the freed memory region. A subsequent call to babl_free() on the same pointer no longer finds the expected signature and therefore fails to raise an error, silently allowing the double-free to proceed.

Technical Details

libbabl's babl_free() stores a canary signature in freed memory chunks as a guard against accidental double-free. The flaw is that after free() returns control to libc, libc's allocator immediately repurposes part of the freed chunk's header for its own bookkeeping metadata — overwriting babl's signature. A second babl_free() call on the same address then reads the memory region, finds no recognizable signature (libc has overwritten it), concludes the pointer has not been freed before, and proceeds to call free() a second time.

This silent bypass has several consequences:

  • Heap corruption — double-freeing corrupts malloc's internal free-list structures.
  • Use-after-free conditions — dependent code may later dereference reallocated memory.
  • Potential code execution — on systems where heap layout can be groomed, corrupted metadata can be exploited to redirect execution.

Why the guard fails

1. babl_free(ptr)   → writes signature into *ptr, calls free(ptr)
2. libc free(ptr)   → overwrites *ptr with its own bookkeeping metadata
3. babl_free(ptr)   → reads *ptr, finds NO babl signature → assumes safe
4.                  → calls free(ptr) again → DOUBLE FREE, heap corruption

Affected Products

LibraryVersion
libbabl0.1.62

Applications built against this version of libbabl may expose the vulnerability when processing untrusted image data.

Impact

An attacker who can supply maliciously crafted pixel data to an application using libbabl may be able to trigger double-free conditions leading to heap corruption. In a worst-case scenario, heap layout manipulation could yield arbitrary code execution in the context of the processing application. Applications commonly affected include image editors, thumbnail generators, and media processing pipelines that pass untrusted user content through GEGL or GIMP-derived libraries.

CVSS Score

MetricValue
Base Score9.8 (Critical)
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

Remediation

  1. Upgrade libbabl — update to a version where the double-free detection mechanism correctly accounts for libc metadata overwriting.
  2. Compiler hardening — build with -D_FORTIFY_SOURCE=2 and address sanitizer (-fsanitize=address) in development to catch double-free conditions early.
  3. Sandbox image processing — run untrusted image processing in an isolated process or container with restricted privileges.
  4. Audit callers — review code that calls babl_free() to ensure no shared pointer ownership patterns create double-free opportunities.

References

  • NVD Entry: CVE-2020-37239

Related Reading

  • CVE-2020-37228: iDS6 DSSPro Digital Signage CAPTCHA
  • CVE-2026-21997: Oracle Life Sciences Empirica Signal
  • CVE-2026-26477: DokuWiki media_upload_xhr() Denial of
#Vulnerability#CVE#Memory-Safety#Double-Free#NVD

Related Articles

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read

CVE-2026-49814: Dell PowerProtect Data Domain OS Command Injection

A high-severity OS command injection vulnerability in Dell PowerProtect Data Domain allows authenticated remote attackers to execute arbitrary commands...

3 min read
Back to all Security Alerts