Skip to main content

vorbis-tools CVE-2026-34253

| EUVDEUVD-2026-30545 HIGH
Buffer Underwrite ('Buffer Underflow') (CWE-124)
2026-05-15 cve@mitre.org GHSA-45fh-4474-xc77
8.2
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 17:30 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
8.2 (HIGH)
CVE Published
May 15, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package in function remotethread in remote.c. This vulnerability occurs in the remote control functionality when processing malformed input, leading to a stack buffer underflow that can cause application crashes and potentially allow code execution.

AnalysisAI

Buffer underflow in vorbis-tools 1.4.3's ogg123 utility allows remote attackers to crash the application or potentially execute code through malformed remote control input. The vulnerability achieves an EPSS score indicating moderate exploitation likelihood, with proof-of-concept code available according to SSVC assessment, though it has not been added to CISA's KEV catalog indicating no confirmed active exploitation.

Technical ContextAI

The vulnerability affects the ogg123 command-line audio player utility within the vorbis-tools package, specifically in the remotethread function in remote.c. This is a CWE-124 buffer underflow where data is written before the beginning of a buffer on the stack. The remote control functionality appears to process network input without proper bounds checking, allowing malformed commands to corrupt memory below the allocated buffer.

RemediationAI

No vendor-released patch identified at time of analysis. The references point to source code and issue tracker but not to a fixed release version. As immediate mitigation, disable or restrict access to ogg123's remote control functionality if enabled, or avoid using ogg123 version 1.4.3 in network-exposed configurations. Monitor the Xiph.Org GitLab work item 2332 for patch availability. If remote control functionality is required, implement network segmentation to limit exposure to trusted sources only.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-34253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy