Rohan Padhye

**Name of the Vulnerable Software and Affected Versions** WavPack versions 5.1.0 and earlier **Description** The issue is related to the use of uninitialized variables in the ParseWave64HeaderConfig component of the WavPack audio codec. This can lead to unexpected control flow, crashes, and segfaults when a maliciously crafted .wav file is processed. The attack vector is a malicious .wav file. **Recommendations** For WavPack versions 5.1.0 and earlier, update to a version after commit https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe to resolve the issue. As a temporary workaround, consider avoiding the use of the ParseWave64HeaderConfig function until a patch is available. Restrict access to malicious .wav files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WavPack versions 5.1.0 and earlier **Description** The issue is related to the use of uninitialized variables in the ParseCaffHeaderConfig function of the WavPack audio codec. This can be exploited by a remote attacker using a malicious .wav file, potentially leading to unexpected control flow, crashes, and segfaults. The component affected is ParseCaffHeaderConfig in the caff.c file. **Recommendations** For WavPack versions 5.1.0 and earlier, update to a version after commit https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b to resolve the issue. As a temporary workaround, consider avoiding the use of .wav files from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WavPack versions 5.1 and earlier **Description** The issue is related to a division by zero error in the ParseDsdiffHeaderConfig function of the dsdiff.c component in the WavPack audio codec. This can be exploited by a remote attacker using a malicious .wav file, leading to a denial of service through a crash. The component affected is ParseDsdiffHeaderConfig, and the attack vector involves a maliciously crafted .wav file. **Recommendations** For WavPack versions 5.1 and earlier, update to a version after the commit https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc to resolve the issue. As a temporary workaround, consider restricting the use of malicious .wav files to minimize the risk of exploitation.