CVE-2023-45681
Published: October 21, 2023Last modified: July 18, 2025
Description
stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | stb | Unknown (0_git20231012-r0) |
| Stream | stb | Unknown (0_git20231012-r0) |
References
- https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677
- https://lists.fedoraproject.org/archives/list/[email protected]/message/2MHQQXX27ACLLYUQHWSL3DVCOGUK5ZA4/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/2WRORYQ2Z2XXHPX36JHBUSDVY6IOMW2N/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/LBIPXOBWUHPAH4QHMVP2AWWAPDDZDQ66/
- https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/