Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-46333

z2d OOB composition could lead to invalid memory access and corruption
Back to all
CVE

CVE-2025-46333

z2d OOB composition could lead to invalid memory access and corruption

z2d is a pure Zig 2D graphics library. Versions of z2d after 0.5.1 and up to and including 0.6.0, when writing from one surface to another using z2d.compositor.StrideCompositor.run, and higher-level operations when the anti-aliasing mode is set to .default (such as Context.fillContext.strokepainter.fill, and painter.stroke), the source surface can be completely out-of-bounds on the x-axis, but not on the y-axis, by way of a negative offset. This results in an overflow of the value controlling the length of the stride. In non-safe optimization modes (consumers compiling with ReleaseFast or ReleaseSmall), this could potentially lead to invalid memory accesses or corruption.

This issue is patched in version 0.6.1. Users on an untagged version after v0.5.1 and before v0.6.1 are advised to update to address the vulnerability. Those still on Zig 0.13.0 are recommended to downgrade to v0.5.1.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.3
-
4.0
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46333.json, https://github.com/vancluever/z2d/issues/104, https://github.com/vancluever/z2d/issues/105, https://github.com/vancluever/z2d/security/advisories/GHSA-mm4c-p35v-7hx3, https://nvd.nist.gov/vuln/detail/CVE-2025-46333

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0.00038%
EPSS Percentile
0.10956%
Introduced Version
a99bf85d38d716d30b79c3546e7063af2e861f49
Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading