SB2022053011 - Multiple vulnerabilities in Freeware Advanced Audio Decoder

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022053011

SB2022053011 - Multiple vulnerabilities in Freeware Advanced Audio Decoder

Published: May 30, 2022

Security Bulletin ID SB2022053011
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 60% Medium 20% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: CVE-2021-32278)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


2) Heap-based buffer overflow (CVE-ID: CVE-2021-32277)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the sbr_qmf_analysis_32() function in sbr_qmf.c. A remote attacker can trick the victim to open a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


3) NULL pointer dereference (CVE-ID: CVE-2021-32276)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in get_sample() function in output.c. A remote attacker can trick the victim to open a specially crafted data and perform a denial of service (DoS) attack.


4) Heap-based buffer overflow (CVE-ID: CVE-2021-32274)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the sbr_qmf_synthesis_64() function in sbr_qmf.c. A remote attacker can trick the victim to open a specially crafted data, trigger a heap-based buffer overflow and execute arbitrary code on the target system.


5) Stack-based buffer overflow (CVE-ID: CVE-2021-32273)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the ftypin() function in mp4read.c. A remote attacker can trick the victim to open a specially crafted file and execute code on the vulnerable system.


Remediation

Install update from vendor's website.

References