VDB

CVE-2023-45681

CVE-2023-45681 PUBLISHED CVSS 7.300000190734863 HIGH

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.

EPSS 0.05% · 15.7th percentile

Risk Scores

CVSS 3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score
0.05%
15.7th percentile

Affected Products

VendorProductVersions
nothingsstb_vorbis.c1.22
nothingsstb0
nothingsstb<= 1.22

Timeline

  • Oct 20, 2023 CVE Published
  • Oct 21, 2023 EPSS Score
  • Nov 21, 2023 EPSS Score
  • Dec 22, 2023 EPSS Score
  • Jan 22, 2024 EPSS Score
  • Feb 22, 2024 EPSS Score
  • Mar 25, 2024 EPSS Score
  • Apr 25, 2024 EPSS Score
  • May 26, 2024 EPSS Score
  • Jun 26, 2024 EPSS Score
  • Jul 27, 2024 EPSS Score
  • Aug 27, 2024 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›