CVE-2021-44269 — Out-of-bounds Read in Wavpack

CWE-125 — Out-of-bounds Read6 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 69.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wavpack Debian Wavpack Fedoraproject Fedora +1 more

Timeline

PublishedMar 10

Latest updateMar 11

Description

An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c, tainted variable cnt is too large, that makes pointer sptr read beyond heap bound.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/wavpack< wavpack 5.5.0-1 (bookworm)

▶Debianwavpack/wavpack< 5.5.0-1+2

▶NVDwavpack/wavpack5.4.0

▶msrcmsrc/cbl2_wavpack_5.6.0-1_on_cbl_mariner_2.0

Also affects: Fedora 34, 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f35r-5xp5-9859: An out of bounds read was found in Wavpack 5↗2022-03-11

▶

OSV

CVE-2021-44269: An out of bounds read was found in Wavpack 5↗2022-03-10

▶

📋Vendor Advisories

Microsoft

An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This issue triggered in function WavpackPackSamples of file src/pack_utils.c tainted variable cnt is too large that makes po↗2022-03-08

▶

Red Hat

wavpack: Heap out-of-bounds read in WavpackPackSamples()↗2021-11-23

▶

Debian

CVE-2021-44269: wavpack - An out of bounds read was found in Wavpack 5.4.0 in processing *.WAV files. This...↗2021

▶