CVE-2024-50612
published 2024-10-27CVE-2024-50612: libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
PriorityP419medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.31%
22.4th percentile
libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libsndfile | < libsndfile 1.2.0-1+deb12u1 (bookworm) | libsndfile 1.2.0-1+deb12u1 (bookworm) |
| libsndfile_project | libsndfile | <= 1.2.2 | — |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2+deb11u1 | 1.0.31-2+deb11u1 |
| libsndfile_project | libsndfile | >= 0 < 1.2.0-1+deb12u1 | 1.2.0-1+deb12u1 |
| libsndfile_project | libsndfile | >= 0 < 1.2.2-2 | 1.2.2-2 |
| libsndfile_project | libsndfile | >= 0 < 1.2.2-2 | 1.2.2-2 |
| libsndfile_project | libsndfile | >= 0 < 1.0.28-7ubuntu0.3 | 1.0.28-7ubuntu0.3 |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2ubuntu0.2 | 1.0.31-2ubuntu0.2 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-7ubuntu2.2+esm4 | 1.0.25-7ubuntu2.2+esm4 |
| libsndfile_project | libsndfile | >= 0 < 1.0.28-4ubuntu0.18.04.2+esm2 | 1.0.28-4ubuntu0.18.04.2+esm2 |
| msrc | azl3_libsndfile_1.2.2-3_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libsndfile_1.0.31-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_libsndfile_1.0.31-4_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv7.1HIGH
vendor_ubuntu7.1HIGH
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libsndfile vulnerabilities
osv·2025-02-18·CVSS 7.1
CVE-2021-4156 [HIGH] libsndfile vulnerabilities
libsndfile vulnerabilities
It was discovered that libsndfile incorrectly handled memory when executing
its FLAC codec. If a user or automated system were tricked into processing
a specially crafted sound file, an attacker could possibly use this issue
to cause a denial of service or obtain sensitive information.
(CVE-2021-4156)
It was discovered that libsndfile incorrectly handled certain malformed
OggVorbis files. An attacker could possibly use this issue to cause
libsndfile to crash, resulting in a denial of service. (CVE-2024-50612)
GHSA
GHSA-cq86-p348-qr4p: libsndfile through 1
ghsa_unreviewed·2024-10-28
CVE-2024-50612 [MEDIUM] CWE-125 GHSA-cq86-p348-qr4p: libsndfile through 1
libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
OSV
CVE-2024-50612: libsndfile through 1
osv·2024-10-27·CVSS 5.5
CVE-2024-50612 [MEDIUM] CVE-2024-50612: libsndfile through 1
libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
Ubuntu
libsndfile vulnerability
vendor_ubuntu·2025-02-25
CVE-2024-50612 libsndfile vulnerability
Title: libsndfile vulnerability
Summary: libsndfile could be made to crash if it opened a specially crafted file.
USN-7267-1 fixed a vulnerability in libsndfile. This update provides
the corresponding updates for Ubuntu 24.04 LTS and Ubuntu 24.10.
Original advisory details:
It was discovered that libsndfile incorrectly handled certain malformed
OggVorbis files. An attacker could possibly use this issue to cause
libsndfile to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
libsndfile vulnerabilities
vendor_ubuntu·2025-02-18·CVSS 7.1
CVE-2021-4156 [HIGH] libsndfile vulnerabilities
Title: libsndfile vulnerabilities
Summary: Several security issues were fixed in libsndfile.
It was discovered that libsndfile incorrectly handled memory when executing
its FLAC codec. If a user or automated system were tricked into processing
a specially crafted sound file, an attacker could possibly use this issue
to cause a denial of service or obtain sensitive information.
(CVE-2021-4156)
It was discovered that libsndfile incorrectly handled certain malformed
OggVorbis files. An attacker could possibly use this issue to cause
libsndfile to crash, resulting in a denial of service. (CVE-2024-50612)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
libsndfile vulnerability
vendor_ubuntu·2025-02-13
CVE-2024-50612 libsndfile vulnerability
Title: libsndfile vulnerability
Summary: libsndfile could be made to crash if it opened a specially crafted file.
It was discovered that libsndfile incorrectly handled certain malformed
OggVorbis files. An attacker could possibly use this issue to cause
libsndfile to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libsndfile: Segmentation fault error in ogg_vorbis.c:417 vorbis_analysis_wrote()
vendor_redhat·2024-10-27·CVSS 5.5
CVE-2024-50612 [MEDIUM] CWE-125 libsndfile: Segmentation fault error in ogg_vorbis.c:417 vorbis_analysis_wrote()
libsndfile: Segmentation fault error in ogg_vorbis.c:417 vorbis_analysis_wrote()
libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
A flaw was found in the libsndfile package. A specially crafted input file may trigger an out-of-bounds read, leading to memory corruption and a denial of service.
Package: libsndfile (Red Hat Enterprise Linux 10) - Not affected
Package: libsndfile (Red Hat Enterprise Linux 7) - Out of support scope
Microsoft
libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
vendor_msrc·2024-10-08·CVSS 5.3
CVE-2024-50612 [MEDIUM] CWE-125 libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Remediation: CBL-Mariner Rel
Debian
CVE-2024-50612: libsndfile - libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds...
vendor_debian·2024·CVSS 5.5
CVE-2024-50612 [MEDIUM] CVE-2024-50612: libsndfile - libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds...
libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.
Scope: local
bookworm: resolved (fixed in 1.2.0-1+deb12u1)
bullseye: resolved (fixed in 1.0.31-2+deb11u1)
forky: resolved (fixed in 1.2.2-2)
sid: resolved (fixed in 1.2.2-2)
trixie: resolved (fixed in 1.2.2-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-27
Published