Vulnerability identifier: #VU33248
Vulnerability risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
lame
Other software /
Other software solutions
Vendor: lame.sourceforge.net
Description
The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate.
Mitigation
Install update from vendor's website.
Vulnerable software versions
lame: 3.99.5
External links
http://www.securityfocus.com/bid/99279
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775959
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.