CVE-2021-4156
libsndfile: heap out-of-bounds read in src/flac.c in flac_buffer_copy
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
Se ha encontrado un fallo de lectura fuera de límites en la funcionalidad del códec FLAC de libsndfile. Un atacante que sea capaz de enviar un archivo especialmente diseñado (por medio de engañar a un usuario para que lo abra o de otro modo) a una aplicación enlazada con libsndfile y que use el códec FLAC, podría desencadenar una lectura fuera de límites que muy probablemente causaría un fallo, pero podría filtrar información de la memoria que podría usarse en una explotación posterior de otros fallos
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-12-22 CVE Reserved
- 2022-03-23 CVE Published
- 2023-11-12 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2022/06/msg00020.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2022/09/msg00036.html | Mailing List |
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=2027690 | 2024-08-03 | |
https://github.com/libsndfile/libsndfile/issues/731 | 2024-08-03 |
URL | Date | SRC |
---|---|---|
https://github.com/libsndfile/libsndfile/pull/732/commits/4c30646abf7834e406f7e2429c70bc254e18beab | 2023-09-29 |
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202309-11 | 2023-09-29 | |
https://access.redhat.com/security/cve/CVE-2021-4156 | 2022-05-10 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Libsndfile Project Search vendor "Libsndfile Project" | Libsndfile Search vendor "Libsndfile Project" for product "Libsndfile" | 1.1.10 Search vendor "Libsndfile Project" for product "Libsndfile" and version "1.1.10" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
|