QwikSec

Security Database

CVE

CWE

Training

CVE-2023-45681

Published: Oct 20, 2023

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.

Vendor	Product	Versions
nothings	stb	affected `<= 1.22`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/

x_refsource_CONFIRM

https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/[email protected]/message/LBIPXOBWUHPAH4QHMVP2AWWAPDDZDQ66/

https://lists.fedoraproject.org/archives/list/[email protected]/message/2WRORYQ2Z2XXHPX36JHBUSDVY6IOMW2N/

https://lists.fedoraproject.org/archives/list/[email protected]/message/2MHQQXX27ACLLYUQHWSL3DVCOGUK5ZA4/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.