CVE-2021-40426 — Heap-based Buffer Overflow in Exchange Libsox

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write12 documents8 sources

Severity

8.8HIGHNVD

OSV5.5

EPSS

0.5%

top 32.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sound Exchange Libsox Sound Exchange Project Sound Exchange

Timeline

PublishedApr 14

Latest updateMar 20

Description

A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e. A specially-crafted file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sound_exchange/libsox14.4.2, master commit 42b3557e+1

▶NVDsound_exchange_project/sound_exchange14.4.2

🔴Vulnerability Details

OSV

sox regression↗2023-03-20

▶

OSV

sox vulnerabilities↗2023-03-02

▶

GHSA

GHSA-5x4j-m9qh-g9w5: A heap-based buffer overflow vulnerability exists in the sphere↗2022-04-15

▶

OSV

CVE-2021-40426: A heap-based buffer overflow vulnerability exists in the sphere↗2022-04-14

▶

CVEList

CVE-2021-40426: A heap-based buffer overflow vulnerability exists in the sphere↗2022-04-14

▶

📋Vendor Advisories

Ubuntu

SoX regression↗2023-03-20

▶

Ubuntu

SoX vulnerabilities↗2023-03-02

▶

Red Hat

sox: heap-based buffer overflow vulnerability exists in the sphere.c start_read() function↗2022-04-14

▶

Debian

CVE-2021-40426: sox - A heap-based buffer overflow vulnerability exists in the sphere.c start_read() f...↗2021

▶

🕵️Threat Intelligence

Talos

Vulnerability Spotlight: Heap overflow in Sound Exchange libsox library↗2022-03-23

▶

Talos

Vulnerability Spotlight: Heap overflow in Sound Exchange libsox library↗2022-03-23

▶