CVE-2023-45682

low-risk

Published 2023-10-21

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.

Do I need to act?

-

0.02% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

5

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Stb Vorbis.C

Affected Vendors

Nothings

References (8)

Third Party Advisory https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/st...

Third Party Advisory https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/st...

Third Party Advisory https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/st...

Third Party Advisory https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_...

Third Party Advisory https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/st...

Third Party Advisory https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/st...

Third Party Advisory https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/st...

Third Party Advisory https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_...

26

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal