CVE-2024-10573

MEDIUM

Red Hat Enterprise Linux 7, 8, 9 - Out-of-bounds Write in mpg123 PCM Decoding

Title source: llm

Description

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

References (9)

Core 9

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2024/11/msg00025.html

Various Sources

https://mpg123.org/cgi-bin/news.cgi#2024-10-26

Mailing List

http://www.openwall.com/lists/oss-security/2024/10/30/3

Mailing List

http://www.openwall.com/lists/oss-security/2024/10/31/4

Mailing List

http://www.openwall.com/lists/oss-security/2024/11/01/1

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:11193

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:11242

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2024-10573

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2322980

Scores

CVSS v3 6.7

EPSS 0.0006

EPSS Percentile 19.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-787

Status published

Products (3)

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8 0:1.32.9-1.el8_10

Red Hat/Red Hat Enterprise Linux 9 0:1.32.9-1.el9_5

Published Oct 31, 2024

Tracked Since Feb 18, 2026