CVE-2022-24599 — Missing Release of Memory after Effective Lifetime in Audiofile

CWE-401 — Missing Release of Memory after Effective Lifetime7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 57.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Audiofile Debian Audiofile Debian Linux +1 more

Timeline

PublishedFeb 24

Latest updateDec 14

Description

In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/audiofile< audiofile 0.3.6-5+deb12u1 (bookworm)

▶Debianaudiofile/audiofile< 0.3.6-5+deb11u1+3

▶Ubuntuaudiofile/audiofile< 0.3.6-5+deb10u1build0.20.04.1+4

▶NVDaudiofile/audiofile0.3.6

Also affects: Debian Linux 10.0, Fedora 37, 38, 39

🔴Vulnerability Details

OSV

audiofile vulnerabilities↗2023-12-14

▶

GHSA

GHSA-9hgh-v7v7-5f66: In autofile Audio File Library 0↗2022-02-25

▶

OSV

CVE-2022-24599: In autofile Audio File Library 0↗2022-02-24

▶

📋Vendor Advisories

Ubuntu

audiofile vulnerabilities↗2023-12-14

▶

Red Hat

audiofile: memory leak in printinfo.c↗2022-02-24

▶

Debian

CVE-2022-24599: audiofile - In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability...↗2022

▶