The GitHub Security Lab recently disclosed a memory corruption vulnerability in the libcue library, which affects GNOME Linux systems . This vulnerability allows for remote code execution and has a high severity level.
The vulnerability, identified as CVE-2023-43641  , has a CVSS score of 8.8 . It arises from an out-of-bounds array access in the tracksetindex function of libcue . Versions 2.2.1 and earlier are impacted. Exploiting this vulnerability involves tricking a user into downloading a malicious .cue file while using the GNOME desktop environment. The file is saved in the user’s Downloads folder and is automatically scanned by tracker-miners  , an application that indexes files in users’ home directories . Since the file has a .cue extension  , tracker-miners use libcue to parse it  , which allows the exploit to gain code execution  . This vulnerability has been described as a one-click remote code execution. Users are advised to exercise caution and avoid clicking on suspicious links to prevent exploitation . Technical details have been withheld to allow users time to install updates .