CVE-2008-1423 — Integer Overflow or Wraparound in Libvorbis

CWE-189 CWE-190 — Integer Overflow or Wraparound CWE-122 — Heap-based Buffer Overflow9 documents8 sources

Severity

9.3CRITICALNVD

EPSS

10.7%

top 6.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xiph.org Libvorbis

Timeline

PublishedMay 16

Latest updateMay 1

Description

Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

▶Debianxiph.org/libvorbis< 1.2.0.dfsg-3.1+3

▶NVDxiph.org/libvorbis6 versions+5

🔴Vulnerability Details

GHSA

GHSA-wf2j-2f6p-cm9w: Integer overflow in a certain quantvals and quantlist calculation in Xiph↗2022-05-01

▶

CVEList

CVE-2008-1423: Integer overflow in a certain quantvals and quantlist calculation in Xiph↗2008-05-16

▶

OSV

CVE-2008-1423: Integer overflow in a certain quantvals and quantlist calculation in Xiph↗2008-05-16

▶

📋Vendor Advisories

Ubuntu

libvorbis vulnerabilities↗2008-12-01

▶

Red Hat

vorbis: integer oveflow caused by huge codebooks↗2008-05-14

▶

Debian

CVE-2008-1423: libvorbis - Integer overflow in a certain quantvals and quantlist calculation in Xiph.org li...↗2008

▶

💬Community

Bugzilla

CVE-2009-3379 libvorbis: security fixes mentioned in MFSA 2009-63↗2009-10-29

▶

Bugzilla

CVE-2008-1423 vorbis: integer oveflow caused by huge codebooks↗2008-04-04

▶