CVE-2026-45729: ThorVG Null Pointer Dereference in SVG Parsing (CVSS 4.3)
ThorVG, a vector graphics rendering engine, contains a flaw that can crash applications using it when they process malicious SVG files. An attacker can craft a specially formatted SVG document as small as 6 bytes that triggers an application crash when the affected code path is invoked. This is a denial-of-service vulnerability affecting availability but not data confidentiality or integrity. The issue was introduced in earlier versions and is resolved in ThorVG 1.0.5.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-476
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45729 is a null pointer dereference vulnerability in the SvgLoader::run() function of ThorVG prior to version 1.0.5. The flaw occurs during SVG parsing when Picture::load() is called with untrusted SVG data. The vulnerability can be triggered with a minimal 6-byte payload, suggesting a simple edge case in the SVG parsing logic that fails to validate or handle a specific malformed structure. The null pointer dereference results in immediate process termination. The vulnerability is classified as CWE-476 (Null Pointer Dereference), a common memory safety issue in C/C++ applications.
Business impact
Organizations embedding ThorVG in applications that accept or render user-supplied SVG content face service availability risks. If an untrusted SVG file can reach a ThorVG-powered renderer—via email attachments, web uploads, design tools, or graphics processing pipelines—an attacker can crash the process. This impacts use cases like web services that convert SVG to raster formats, design collaboration platforms, and embedded graphics applications. The severity is moderated by the requirement that users interact with or process the malicious file (UI interaction is required per the CVSS vector), but in automated or background processing contexts, this requirement may be weaker.
Affected systems
Any application or library that embeds ThorVG versions prior to 1.0.5 and uses Picture::load() to parse SVG data from untrusted sources is affected. This includes applications built on ThorVG for SVG rendering, format conversion, or vector-based UI rendering. The vulnerability is triggered only when SVG data is loaded and parsed; statically compiled SVGs or SVGs from trusted sources pose no risk. Applications using ThorVG 1.0.5 or later are not affected.
Exploitability
Exploitation requires that an attacker can supply SVG data to an application that uses the vulnerable ThorVG version. The attack is highly reliable (low complexity) because the trigger is deterministic: a specific malformed SVG structure causes predictable null pointer dereference. However, successful attack depends on user interaction or application design that processes the SVG (the CVSS vector specifies UI:R). In attended scenarios, an attacker must convince a user to open or process a file. In unattended scenarios (automated SVG processing), the barrier to exploitation is lower. No authentication or privileges are required.
Remediation
Upgrade ThorVG to version 1.0.5 or later. Organizations should audit their software bill of materials (SBOM) to identify applications and libraries that depend on ThorVG and determine their current versions. For applications that cannot be immediately updated, implement input validation and sanitization on SVG files before they are passed to ThorVG—reject or clean SVG documents from untrusted sources. Isolate SVG processing in sandboxed environments if feasible. Monitor application logs for unexpected crashes related to SVG parsing.
Patch guidance
ThorVG 1.0.5 contains the fix for this null pointer dereference. Verify the patch by checking release notes and commit history at the ThorVG project repository. Apply updates to all applications, libraries, and tools that embed ThorVG. If you maintain a custom or bundled version of ThorVG, apply the upstream fix from the 1.0.5 release or cherry-pick the relevant commits. Test SVG rendering with a representative sample of legitimate and edge-case SVG files to ensure the fix does not introduce regressions.
Detection guidance
Monitor for repeated application crashes or process terminations coinciding with SVG file processing. Inspect crash logs and core dumps for stack traces mentioning SvgLoader or Picture::load(). Implement application-level logging to record when SVG files are loaded, especially from untrusted sources. If possible, integrate fuzzing or property-based testing of SVG inputs in your CI/CD pipeline to catch similar issues before they reach production. Network and log monitoring should flag attempts to upload or transmit SVG files to applications known to use vulnerable ThorVG versions.
Why prioritize this
Although this vulnerability is rated MEDIUM severity with a CVSS score of 4.3, it warrants prioritized patching because (1) exploitation is trivial and requires only a 6-byte payload, (2) the fix is available and low-risk (a patched version already exists), and (3) many organizations may be unaware they use ThorVG indirectly through dependencies. The lack of KEV designation suggests limited weaponization or public exploit activity to date, but the low barrier to exploitation and high reliability mean it could be weaponized quickly. Prioritize patching in internet-facing or user-interactive applications that process SVG files.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L) that requires no privileges or authentication, but causes only availability impact (A:L) and requires user interaction (UI:R). The scope is unchanged (S:U). This scoring appropriately reflects that denial-of-service via SVG parsing is less severe than a confidentiality or integrity breach, but more concerning than a purely local issue. The moderate CVSS score should not downplay the practical importance of patching, given the ease of exploitation and availability of a fix.
Frequently asked questions
How can I check if my application uses ThorVG?
Review your application's SBOM, dependency manifest, or build configuration files. Search your codebase for references to ThorVG, Picture::load(), or SvgLoader. If you use open-source projects that render SVG, check their documentation and issue trackers to see if they list ThorVG as a dependency. Vendor release notes and security advisories often mention when ThorVG is bundled.
Can this vulnerability be exploited remotely?
Yes, if the application receives SVG data over the network and processes it automatically or at user direction. Web-based design tools, SVG converters, and graphics processing services are particularly vulnerable. However, local exploitation is also possible if a user can be tricked into opening a malicious SVG file with an application that uses the vulnerable library.
What does 'null pointer dereference' mean in practical terms?
A null pointer dereference occurs when the code attempts to use or access memory through a pointer that points to null (zero address), rather than valid memory. This causes an immediate crash because the CPU cannot execute the intended operation. In this case, the SVG parser encounters a malformed structure, fails to initialize a required data structure, and then tries to use it anyway—causing the application to terminate.
Is upgrading to 1.0.5 safe, or could it break my application?
Version 1.0.5 is a patch release that fixes a null pointer dereference; it does not introduce new features or change APIs. It is considered safe to upgrade. However, as with any update, test it in a staging environment with your actual SVG workloads before deploying to production to confirm no regressions.
This analysis is provided for informational purposes to help security teams assess and remediate CVE-2026-45729. It is not legal advice, and use of this information is at your own risk. Always verify patch versions, vendor advisories, and your specific affected systems before taking remediation actions. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence. Consult official vendor advisories, security bulletins, and your organization's risk management policies when deciding on patch deployment schedules. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability
- CVE-2025-60485MEDIUMMP4Box Segmentation Fault DoS Vulnerability (GPAC < 26.02.0)
- CVE-2025-60495MEDIUMMP4Box Segmentation Fault DoS Vulnerability – Patching Guide
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-28581MEDIUMAndroid Emergency Call Logic Error Vulnerability
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)