PT-2024-9756 · Mpg123+8 · Mpg123+8

Marco Benatto

Published

2024-10-30

Updated

2025-03-17

CVE-2024-10573

CVSS v3.1

6.7

Medium

Vector

AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions mpg123 (affected versions not specified)

Description An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALSA-2024:11193

ALSA-2024:11242

BDU:2024-11493

CESA-2024_11193

CVE-2024-10573

DLA-3967-1

DSA-5811-1

INFSA-2024_11193

INFSA-2024_11242

MGASA-2024-0358

OPENSUSE-SU-2024:14454-1

RHSA-2024:11193

RHSA-2024:11242

RHSA-2024_11193

RHSA-2024_11242

RLSA-2024:11242

USN-7092-1

USN-7092-2

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Ubuntu

Mpg123

PT-2024-9756 · Mpg123+8 · Mpg123+8

CVE-2024-10573

Weakness Enumeration

Related Identifiers

Affected Products

References · 64