CVE-2021-40827

Name of the Vulnerable Software and Affected Versions Clementine Music Player versions prior to 1.3.1 (when a GLib 2.0.0 DLL is used)

Description The issue affects the MP3 file parsing functionality, specifically at memcpy+0x265, and is triggered when a user opens a crafted MP3 file or loads a remote stream URL that is mishandled. This can cause a crash of the clementine.exe process or potentially allow arbitrary code execution in the context of the current logged-in Windows user.

Recommendations For Clementine Music Player versions prior to 1.3.1, consider avoiding the use of crafted MP3 files or remote stream URLs until a fix is available. As a temporary workaround, restrict the handling of MP3 files and remote streams to minimize the risk of exploitation.