CVE-2024-10573
published 2024-10-31CVE-2024-10573: An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located…
PriorityP434medium6.7CVSS 3.1
AVLACHPRLUIRSUCHIHAH
EPSS
0.35%
26.7th percentile
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mpg123 | < mpg123 1.31.2-1+deb12u1 (bookworm) | mpg123 1.31.2-1+deb12u1 (bookworm) |
| mpg123 | mpg123 | >= 0 < 1.26.4-1+deb11u1 | 1.26.4-1+deb11u1 |
| mpg123 | mpg123 | >= 0 < 1.31.2-1+deb12u1 | 1.31.2-1+deb12u1 |
| mpg123 | mpg123 | >= 0 < 1.32.8-1 | 1.32.8-1 |
| mpg123 | mpg123 | >= 0 < 1.32.8-1 | 1.32.8-1 |
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
osv6.7MEDIUM
vendor_debian6.7MEDIUM
vendor_redhat6.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2025-10573
vendor_ivanti·2025-12-09·CVSS 9.6
CVE-2025-10573 [CRITICAL] CWE-79 Ivanti Security Advisory: CVE-2025-10573
Ivanti Security Advisory: CVE-2025-10573
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
CVE IDs: CVE-2025-10573
CVSS Base Score: 9.6
Severity: CRITICAL
CWEs: CWE-79
Ubuntu
mpg123 vulnerability
vendor_ubuntu·2024-11-27
CVE-2024-10573 mpg123 vulnerability
Title: mpg123 vulnerability
Summary: mpg123 could be made to crash or run programs as your login if it opened a
specially crafted file.
USN-7092-1 fixed a vulnerability in mpg123. Bastien Roucariès discovered
that the fix was incomplete on Ubuntu 20.04 LTS. This update fixes the
problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that mpg123 incorrectly handled certain mp3 files. If a
user or automated system were tricked into opening a specially crafted mp3
file, a remote attacker could use this issue to cause mpg123 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
mpg123 vulnerability
vendor_ubuntu·2024-11-05
CVE-2024-10573 mpg123 vulnerability
Title: mpg123 vulnerability
Summary: mpg123 could be made to crash or run programs as your login if it opened a
specially crafted file.
It was discovered that mpg123 incorrectly handled certain mp3 files. If a
user or automated system were tricked into opening a specially crafted mp3
file, a remote attacker could use this issue to cause mpg123 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
mpg123: Buffer overflow when writing decoded PCM samples
vendor_redhat·2024-10-30·CVSS 6.7
CVE-2024-10573 [MEDIUM] CWE-787 mpg123: Buffer overflow when writing decoded PCM samples
mpg123: Buffer overflow when writing decoded PCM samples
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Conse
Debian
CVE-2024-10573: mpg123 - An out-of-bounds write flaw was found in mpg123 when handling crafted streams. W...
vendor_debian·2024·CVSS 6.7
CVE-2024-10573 [MEDIUM] CVE-2024-10573: mpg123 - An out-of-bounds write flaw was found in mpg123 when handling crafted streams. W...
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
Scope: local
bookworm: resolved (fixed in 1.31.2-1+deb12u1)
bullseye: resolved (fixed in 1.26.4-1+deb11u1)
forky: resolved (fixed in 1.32.8-1)
sid: resolved (fixed in 1.32.8-1)
trixie: resolved (fixed in 1.32.8-1)
OSV
CVE-2024-10573: An out-of-bounds write flaw was found in mpg123 when handling crafted streams
osv·2024-10-31·CVSS 6.7
CVE-2024-10573 [MEDIUM] CVE-2024-10573: An out-of-bounds write flaw was found in mpg123 when handling crafted streams
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
GHSA
GHSA-7m7j-pgpw-9g75: An out-of-bounds write flaw was found in mpg123 when handling crafted streams
ghsa_unreviewed·2024-10-31
CVE-2024-10573 [MEDIUM] CWE-787 GHSA-7m7j-pgpw-9g75: An out-of-bounds write flaw was found in mpg123 when handling crafted streams
An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://access.redhat.com/errata/RHSA-2024:11193https://access.redhat.com/errata/RHSA-2024:11242https://access.redhat.com/security/cve/CVE-2024-10573https://bugzilla.redhat.com/show_bug.cgi?id=2322980https://mpg123.org/cgi-bin/news.cgi#2024-10-26http://www.openwall.com/lists/oss-security/2024/10/30/3http://www.openwall.com/lists/oss-security/2024/10/31/4http://www.openwall.com/lists/oss-security/2024/11/01/1https://lists.debian.org/debian-lts-announce/2024/11/msg00025.html
2024-10-31
Published