CVE-2021-44269
published 2022-03-10CVE-2021-44269: An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c…
PriorityP419medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
1.16%
63.1th percentile
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wavpack | < wavpack 5.5.0-1 (bookworm) | wavpack 5.5.0-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_wavpack_5.6.0-1_on_cbl_mariner_2.0 | — | — |
| wavpack | wavpack | — | — |
| wavpack | wavpack | >= 0 < 5.5.0-1 | 5.5.0-1 |
| wavpack | wavpack | >= 0 < 5.5.0-1 | 5.5.0-1 |
| wavpack | wavpack | >= 0 < 5.5.0-1 | 5.5.0-1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c tainted variable cnt is too large that makes po
vendor_msrc·2022-03-08·CVSS 5.5
CVE-2021-44269 [MEDIUM] CWE-125 An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c tainted variable cnt is too large that makes po
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c tainted variable cnt is too large that makes pointer sptr read beyond heap bound.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products
Red Hat
wavpack: Heap out-of-bounds read in WavpackPackSamples()
vendor_redhat·2021-11-23·CVSS 5.5
CVE-2021-44269 [MEDIUM] CWE-125 wavpack: Heap out-of-bounds read in WavpackPackSamples()
wavpack: Heap out-of-bounds read in WavpackPackSamples()
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.
A heap out-of-bounds read flaw was found in WavPacks' WavpackPackSamples() function of src/pack_utils.c and only affects the command-line program of WavPack (not libwavpack). This flaw allows an attacker to exploit this flaw for a website that uses the WavPack command-line program on user-provided files, causing a denial of service.
Statement: Red Hat Product Security has rated this issue as having a Low security impact, and since Red Hat Enterprise Linux 6, 7 are Out-of-Support-Scope, the issue is
Debian
CVE-2021-44269: wavpack - An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This...
vendor_debian·2021·CVSS 5.5
CVE-2021-44269 [MEDIUM] CVE-2021-44269: wavpack - An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This...
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.
Scope: local
bookworm: resolved (fixed in 5.5.0-1)
bullseye: open
forky: resolved (fixed in 5.5.0-1)
sid: resolved (fixed in 5.5.0-1)
trixie: resolved (fixed in 5.5.0-1)
GHSA
GHSA-f35r-5xp5-9859: An out of bounds read was found in Wavpack 5
ghsa_unreviewed·2022-03-11
CVE-2021-44269 [MEDIUM] CWE-125 GHSA-f35r-5xp5-9859: An out of bounds read was found in Wavpack 5
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.
OSV
CVE-2021-44269: An out of bounds read was found in Wavpack 5
osv·2022-03-10·CVSS 5.5
CVE-2021-44269 [MEDIUM] CVE-2021-44269: An out of bounds read was found in Wavpack 5
An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/dbry/WavPack/issues/110https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2CZUFTX3J4Y4OSRITG4PXCI7NRVFDYVQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5B7L26LA6KGX7YH6SWD5CSBNWKV5MBO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRZWZKEEABCLVXZEXQZBIT3ZKLIXVFF5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I54NXQZELBF42OL4KQZJJRAYZX7IPZXP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQKOOJRI2VAPYS3652HVDXON723HTXBP/https://github.com/dbry/WavPack/issues/110https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2CZUFTX3J4Y4OSRITG4PXCI7NRVFDYVQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5B7L26LA6KGX7YH6SWD5CSBNWKV5MBO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRZWZKEEABCLVXZEXQZBIT3ZKLIXVFF5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I54NXQZELBF42OL4KQZJJRAYZX7IPZXP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQKOOJRI2VAPYS3652HVDXON723HTXBP/
2022-03-10
Published