CVE-2017-6888

MEDIUM

FLAC <1.3.2 - Memory Corruption

Title source: llm

Description

An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC/stream_decoder.c) in FLAC version 1.3.2 can be exploited to cause a memory leak via a specially crafted FLAC file.

References (6)

[Third Party Advisory] https://secuniaresearch.flexerasoftware.com/advisories/82639/

[Various Sources] https://git.xiph.org/?p=flac.git%3Ba=commit%3Bh=4f47b63e9c971e6391590caf00a0f2a5ed612e67

[Third Party Advisory] https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/01/msg00001.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33W6XZAAEJYRGU3XYHRO7XSYEA7YACUB/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNZYTAU5UWBVXVJ4VHDWPR66ZVDLQZRE/

Scores

CVSS v3 5.5

EPSS 0.0044

EPSS Percentile 63.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-772

Status published

Products (4)

debian/debian_linux 9.0

fedoraproject/fedora 32

fedoraproject/fedora 33

flac_project/flac < 1.3.2

Published Apr 25, 2018

Tracked Since Feb 18, 2026