CVE-2024-10573

Published: Oct 31, 2024Modified: Dec 18, 2024

6.7

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 0.8 / Impact: 5.9

Source: secalert@redhat.com (Secondary)

Description

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

Related CWEs

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (9)

https://access.redhat.com/errata/RHSA-2024:11193

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2024:11242

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2024-10573

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2322980

Source: secalert@redhat.com

https://mpg123.org/cgi-bin/news.cgi#2024-10-26

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2024/10/30/3

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2024/10/31/4

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2024/11/01/1

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2024/11/msg00025.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.