CVE-2024-10573
Publication date 30 October 2024
Last updated 31 October 2024
Ubuntu priority
There's a out-of-bounds write issue in mpg123, the vulnerability is located when handling crafted streams. During the decoding of PCM the libmpg123 may write past the end of a heap located buffer, as consequence heap corruption may happen and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload needs to be validated by the MPEG decoder and by the PCM synth before being executed. Additionally to successfully execute the attack,the user needs to scan through the stream making web live stream content (such as web radios) a very unlikely attack vector.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mpg123 | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.7 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |