Executive Summary

CVE-2026-31899 is a high-severity vulnerability in the Kozea CairoSVG library, which converts SVG images using the Cairo 2D graphics library. The issue arises from the recursive processing of SVG <use> elements in the cairosvg/defs.py file, where there are no limits on recursion depth or the total number of elements processed.

An attacker can craft a small SVG file with nested <use> elements that exponentially amplify rendering calls, causing the CPU to be exhausted and pegged at 100% indefinitely. For example, 5 levels of nested <use> elements with 10 references at each level can cause about 100,000 rendering calls from a 1,411-byte SVG input.

This leads to a denial of service (DoS) by making the rendering process hang indefinitely without completing, although memory usage remains stable. The vulnerability affects all versions of CairoSVG up to the latest at the time of reporting.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) by exhausting CPU resources when processing maliciously crafted SVG files containing recursive <use> elements.

If you use CairoSVG in services that accept SVG input for rendering tasks such as thumbnail generation, PDF creation, or avatar rendering, an attacker can remotely trigger this vulnerability to cause your service to hang indefinitely, making it unavailable.

The attack requires no privileges or user interaction and can be executed remotely over the network, making it easy to exploit and potentially disruptive to availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for processes running CairoSVG that exhibit unusually high CPU usage without corresponding high memory usage, as the vulnerability causes CPU exhaustion from a small SVG input with nested <use> elements.'}, {'type': 'paragraph', 'content': 'One practical detection method is to identify if any SVG files with deeply nested or recursive <use> elements are being processed, especially if the rendering process hangs or consumes 100% CPU indefinitely.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this condition include:'}, {'type': 'list_item', 'content': 'Use system monitoring tools like `top` or `htop` to check for CairoSVG processes pegging CPU at 100%.'}, {'type': 'list_item', 'content': 'Use `ps aux | grep cairosvg` to find running CairoSVG processes.'}, {'type': 'list_item', 'content': 'Use `strace -p <pid>` on the suspected process to observe if it is stuck in recursive calls.'}, {'type': 'list_item', 'content': "Analyze SVG inputs for nested <use> elements, for example by using `grep -o '<use' suspicious.svg | wc -l` to count <use> tags."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves preventing the exponential resource exhaustion caused by recursive <use> elements in SVG files processed by CairoSVG.

Since no patched versions are available at the time of reporting, the recommended approach is to modify the CairoSVG rendering code to limit recursion depth and the total number of referenced elements.

• Implement a recursion depth counter in the `use()` function to cap recursion at a reasonable level (e.g., 10).
• Add a reference counting mechanism to track the number of referenced SVG elements during rendering.
• Abort rendering if the number of referenced elements exceeds 100,000 to prevent CPU exhaustion.

Alternatively, as a temporary measure, avoid processing untrusted or complex SVG files with nested <use> elements until a fixed version of CairoSVG is released.

Useful 0 Not Useful 0