CVE-2021-4156
published 2022-03-23CVE-2021-4156: An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user…
PriorityP335high7.1CVSS 3.1
AVNACLPRNUIRSUCLINAH
EPSS
1.75%
75.1th percentile
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libsndfile | < libsndfile 1.1.0-1 (bookworm) | libsndfile 1.1.0-1 (bookworm) |
| libsndfile_project | libsndfile | — | — |
| libsndfile_project | libsndfile | — | — |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2+deb11u2 | 1.0.31-2+deb11u2 |
| libsndfile_project | libsndfile | >= 0 < 1.1.0-1 | 1.1.0-1 |
| libsndfile_project | libsndfile | >= 0 < 1.1.0-1 | 1.1.0-1 |
| libsndfile_project | libsndfile | >= 0 < 1.1.0-1 | 1.1.0-1 |
| libsndfile_project | libsndfile | >= 0 < 1.0.28-7ubuntu0.3 | 1.0.28-7ubuntu0.3 |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2ubuntu0.2 | 1.0.31-2ubuntu0.2 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-7ubuntu2.2+esm4 | 1.0.25-7ubuntu2.2+esm4 |
| libsndfile_project | libsndfile | >= 0 < 1.0.28-4ubuntu0.18.04.2+esm2 | 1.0.28-4ubuntu0.18.04.2+esm2 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:P
osv7.1HIGH
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
vendor_ubuntu7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libsndfile vulnerabilities
vendor_ubuntu·2025-02-18·CVSS 7.1
CVE-2021-4156 [HIGH] libsndfile vulnerabilities
Title: libsndfile vulnerabilities
Summary: Several security issues were fixed in libsndfile.
It was discovered that libsndfile incorrectly handled memory when executing
its FLAC codec. If a user or automated system were tricked into processing
a specially crafted sound file, an attacker could possibly use this issue
to cause a denial of service or obtain sensitive information.
(CVE-2021-4156)
It was discovered that libsndfile incorrectly handled certain malformed
OggVorbis files. An attacker could possibly use this issue to cause
libsndfile to crash, resulting in a denial of service. (CVE-2024-50612)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
libsndfile vulnerability
vendor_ubuntu·2022-05-10
CVE-2021-4156 libsndfile vulnerability
Title: libsndfile vulnerability
Summary: libsndfile could be made to crash or expose sensitive information
if it received specially crafted input.
It was discovered that libsndfile was incorrectly performing memory
management operations and incorrectly using buffers when executing
its FLAC codec. If a user or automated system were tricked into
processing a specially crafted sound file, an attacker could
possibly use this issue to cause a denial of service or obtain
sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libsndfile: heap out-of-bounds read in src/flac.c in flac_buffer_copy
vendor_redhat·2021-04-13·CVSS 7.1
CVE-2021-4156 [HIGH] CWE-125 libsndfile: heap out-of-bounds read in src/flac.c in flac_buffer_copy
libsndfile: heap out-of-bounds read in src/flac.c in flac_buffer_copy
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most li
Debian
CVE-2021-4156: libsndfile - An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. A...
vendor_debian·2021·CVSS 7.1
CVE-2021-4156 [HIGH] CVE-2021-4156: libsndfile - An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. A...
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
Scope: local
bookworm: resolved (fixed in 1.1.0-1)
bullseye: resolved (fixed in 1.0.31-2+deb11u2)
forky: resolved (fixed in 1.1.0-1)
sid: resolved (fixed in 1.1.0-1)
trixie: resolved (fixed in 1.1.0-1)
OSV
libsndfile vulnerabilities
osv·2025-02-18·CVSS 7.1
CVE-2021-4156 [HIGH] libsndfile vulnerabilities
libsndfile vulnerabilities
It was discovered that libsndfile incorrectly handled memory when executing
its FLAC codec. If a user or automated system were tricked into processing
a specially crafted sound file, an attacker could possibly use this issue
to cause a denial of service or obtain sensitive information.
(CVE-2021-4156)
It was discovered that libsndfile incorrectly handled certain malformed
OggVorbis files. An attacker could possibly use this issue to cause
libsndfile to crash, resulting in a denial of service. (CVE-2024-50612)
GHSA
GHSA-vvgm-gfhp-rj9x: An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality
ghsa_unreviewed·2022-03-24
CVE-2021-4156 [HIGH] CWE-125 GHSA-vvgm-gfhp-rj9x: An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
OSV
CVE-2021-4156: An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality
osv·2022-03-23·CVSS 7.1
CVE-2021-4156 [HIGH] CVE-2021-4156: An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=2027690https://github.com/libsndfile/libsndfile/issues/731https://github.com/libsndfile/libsndfile/pull/732/commits/4c30646abf7834e406f7e2429c70bc254e18beabhttps://lists.debian.org/debian-lts-announce/2022/06/msg00020.htmlhttps://lists.debian.org/debian-lts-announce/2022/09/msg00036.htmlhttps://security.gentoo.org/glsa/202309-11https://bugzilla.redhat.com/show_bug.cgi?id=2027690https://github.com/libsndfile/libsndfile/issues/731https://github.com/libsndfile/libsndfile/pull/732/commits/4c30646abf7834e406f7e2429c70bc254e18beabhttps://lists.debian.org/debian-lts-announce/2022/06/msg00020.htmlhttps://lists.debian.org/debian-lts-announce/2022/09/msg00036.htmlhttps://lists.debian.org/debian-lts-announce/2025/12/msg00013.htmlhttps://security.gentoo.org/glsa/202309-11
2022-03-23
Published