CVE-2018-20992

Name of the Vulnerable Software and Affected Versions Claxon versions prior to 0.4.1

Description An issue in Claxon allows uninitialized memory to be exposed due to mishandled decode buffer sizes. The affected versions made an invalid assumption about the decode buffer size being a multiple of a value read from the bitstream, potentially causing parts of the decode buffer to not be overwritten. If the decode buffer was newly allocated and uninitialized, this uninitialized memory could be exposed, allowing an attacker to observe parts of it in the decoded audio stream.

Recommendations For versions prior to 0.4.1, update to version 0.4.1 or later, which includes a correction to check that the value read from the bitstream divides the decode buffer size and returns a format error if it does not, preventing the exposure of the decode buffer.