[CVE-2014-2978] DirectFB remote out-of-bounds write vulnerability

Posted on Thu 15 May 2014 in Advisory


DirectFB is prone to an out-of-bound write vulnerability since version 1.4.4.

The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).


An attacker can choose to overflow in the heap or the stack.

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete

Disclosure Timeline

  • 2014-03-27 Developer notified
  • 2014-04-21 CVE-2014-2978 assigned
  • 2014-05-16 Public advisory


  • http://www.directfb.org/
  • http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html