Division by zero in vorbis-tools - CVE-2014-9638

 

Division by zero in vorbis-tools - CVE-2014-9638

Published: July 27, 2020 / Updated: November 10, 2023


Vulnerability identifier: #VU31927
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-9638
CWE-ID: CWE-369
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: xiph.org
Affected software:
vorbis-tools

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to divide-by-zero error in oggenc in vorbis-tools. A remote attacker can pass specially crafted WAV file with the number of channels set to zero to the application, trigger divide-by-zero error and crash the application.


How to mitigate CVE-2014-9638

Install update from vendor's website.

Sources