ALPINE-CVE-2019-11038

ALPINE-CVE-2019-11038 PUBLISHED CVSS 5.300000190734863 MEDIUM

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.11	gd	2.2.5-r2, 2.2.5-r1, 2.2.5-r0
Alpine:v3.14	gd	2.2.5-r1, 2.2.5-r1, 2.2.5-r0
Alpine:v3.10	gd	2.0.35-r0, 2.0.35-r2, 2.0.36_rc1-r1
Alpine:v3.16	gd	2.0.36_rc1-r9, 2.2.5-r2, 2.2.5-r1
Alpine:v3.22	gd	2.0.35-r0, 2.0.35-r1, 2.0.35-r2
Alpine:v3.12	gd	0, 2.0.35-r0, 2.0.35-r1
Alpine:v3.20	gd	2.2.5-r2, 2.2.5-r1, 2.2.5-r0
Alpine:v3.9	gd	0, 2.0.35-r0, 2.0.35-r1
Alpine:v3.8	gd	0, 2.2.5-r2, 2.2.5-r1
Alpine:v3.18	gd	*, 0, 2.0.35-r0
Alpine:v3.19	gd	2.2.5-r2, 2.2.5-r1, 2.2.5-r0
Alpine:v3.15	gd	*, 2.0.35-r0, 2.0.35-r1
Alpine:v3.23	gd	2.2.5-r2, 2.2.5-r1, 2.2.5-r0
Alpine:v3.17	gd	2.0.35-r0, 2.2.5-r2, 2.2.5-r1
Alpine:v3.21	gd	0, 2.2.5-r2, 2.2.5-r1
Alpine:v3.13	gd	2.2.5-r2, 2.2.5-r1, 2.2.5-r0

Timeline

Jun 19, 2019 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2019-11038 advisory

Open in Interactive Console →