# IDA 9.3sp2

This Service Pack of IDA 9.3 is a focused security release, addressing a set of externally reported vulnerabilities in the loaders, the command-line tools, and the Clang-based type parser. Following up on these reports, we also audited the surrounding code and fixed 10 additional internally discovered issues, listed below as general security and stability updates. You can download the latest IDA installer from [My Hex-Rays portal](https://my.hex-rays.com/dashboard/download-center/).

We'd like to thank the researchers who reported these issues through responsible disclosure. See our bug bounty program at [hex-rays.com/bug-bounty](https://hex-rays.com/bug-bounty).

## Complete list of bugfixes:

* BUGFIX: wasm: heap buffer overflow in the wasm loader when reading malformed LEB128 values in the function/import sections (reported by Milánek, Gen)
* BUGFIX: tools: multiple heap corruption and out-of-bounds bugs in `zipids`, `pcf` and `ptmobj` when parsing crafted input files (reported by Dell Security Assurance)
* BUGFIX: idaclang: argument injection in `CLANG_ARGV` could lead to arbitrary code execution when opening a malicious database (reported by Lam Jun Rong of Calif.io)
* BUGFIX: various security and stability updates (10 additional issues found during follow-up investigation)