CVE-2021-3246
published 2021-07-20CVE-2021-3246: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
PriorityP343high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
3.29%
86.9th percentile
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libsndfile | < libsndfile 1.0.31-2 (bookworm) | libsndfile 1.0.31-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| libsndfile_project | libsndfile | — | — |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2 | 1.0.31-2 |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2 | 1.0.31-2 |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2 | 1.0.31-2 |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2 | 1.0.31-2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libsndfile vulnerability
vendor_ubuntu·2021-07-29
CVE-2021-3246 libsndfile vulnerability
Title: libsndfile vulnerability
Summary: libsndfile could be made to crash or run programs as your login if it
opened a specially crafted file.
It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: After a standard system update you need to restart your session to make
all the necessary changes.
Ubuntu
libsndfile vulnerability
vendor_ubuntu·2021-07-29
CVE-2021-3246 libsndfile vulnerability
Title: libsndfile vulnerability
Summary: libsndfile could be made to crash or run programs as your login if it
opened a specially crafted file.
USN-5025-1 fixed a vulnerability in libsndfile. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that libsndfile incorrectly handled certain malformed
files. A remote attacker could use this issue to cause libsndfile to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: After a standard system update you need to restart your session to make
all the necessary changes.
Red Hat
libsndfile: Heap buffer overflow via crafted WAV file allows arbitrary code execution
vendor_redhat·2021-07-20·CVSS 8.8
CVE-2021-3246 [HIGH] CWE-119 libsndfile: Heap buffer overflow via crafted WAV file allows arbitrary code execution
libsndfile: Heap buffer overflow via crafted WAV file allows arbitrary code execution
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
A heap buffer overflow flaw was found in libsndfile. This flaw allows an attacker to execute arbitrary code via a crafted WAV file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Package: libsndfile (Red Hat Enterprise Linux 6) - Out of support scope
Package: libsndfile (Red Hat Enterprise Linux 9) - Not affected
Debian
CVE-2021-3246: libsndfile - A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.3...
vendor_debian·2021·CVSS 8.8
CVE-2021-3246 [HIGH] CVE-2021-3246: libsndfile - A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.3...
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
Scope: local
bookworm: resolved (fixed in 1.0.31-2)
bullseye: resolved (fixed in 1.0.31-2)
forky: resolved (fixed in 1.0.31-2)
sid: resolved (fixed in 1.0.31-2)
trixie: resolved (fixed in 1.0.31-2)
GHSA
GHSA-p3g4-4phf-g392: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1
ghsa_unreviewed·2022-05-24
CVE-2021-3246 [HIGH] CWE-787 GHSA-p3g4-4phf-g392: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
OSV
CVE-2021-3246: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1
osv·2021-07-20·CVSS 8.8
CVE-2021-3246 [HIGH] CVE-2021-3246: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/libsndfile/libsndfile/issues/687https://lists.debian.org/debian-lts-announce/2021/07/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUDCEMMPRA3IYYYHVZUOUZXI65FU37V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T7LNW4AVDVL3BU3N3KGVFLTYFASBVCIF/https://security.gentoo.org/glsa/202309-11https://www.debian.org/security/2021/dsa-4947https://github.com/libsndfile/libsndfile/issues/687https://lists.debian.org/debian-lts-announce/2021/07/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUDCEMMPRA3IYYYHVZUOUZXI65FU37V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T7LNW4AVDVL3BU3N3KGVFLTYFASBVCIF/https://security.gentoo.org/glsa/202309-11https://www.debian.org/security/2021/dsa-4947
2021-07-20
Published