Heap buffer out of bounds write in start_decoder in stb_vorbis
CVE-2023-45677

7.3HIGH

Key Information:

Vendor

Nothings

Status
Stb
Vendor
CVE Published:
21 October 2023

What is CVE-2023-45677?

The stb_vorbis library, a single-file MIT licensed library for processing Ogg Vorbis files, is susceptible to an out of bounds write vulnerability. This arises when negative values are read for length within the decoder setup. In scenarios where memory is allocated correctly but an invalid length is used in subsequent operations, it can result in writing outside the allocated memory area. This flaw can lead to potential code execution vulnerabilities when handling crafted Ogg Vorbis files.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

stb <= 1.22

References

https://securitylab.github.com/advisories/GHSL-2023-145_G...
x_refsource_CONFIRM
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd3...
x_refsource_MISC
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd3...
x_refsource_MISC

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.