CVE-2023-53966

CriticalPublic PoC

Published: 22 December 2025

Published

22 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash…

the application.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of flaws like this format string vulnerability to eliminate the root cause.

SI-16 Memory Protection good match

prevent

SI-16 provides memory protections such as stack canaries, ASLR, and DEP to prevent arbitrary code execution from stack overflows triggered by format strings.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs like environment variables to reject malicious format string payloads before processing.

Security SummaryAI

CVE-2023-53966 is a format string vulnerability (CWE-134) affecting SOUND4 LinkAndShare Transmitter version 1.1.2. The flaw enables attackers to trigger memory stack overflows by supplying maliciously crafted environment variables, particularly through manipulation of the username environment variable with format string payloads. This vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By crafting environment variables with format string payloads, they can potentially achieve arbitrary code execution or cause the application to crash, leading to denial of service.

Advisories from Vulncheck and Zero Science Laboratory (ZSL-2023-5744) detail the vulnerability, and a proof-of-concept exploit is available on Exploit-DB (EDB-ID: 51259). No patches or specific mitigation steps are described in the provided information.

Details

CWE(s): CWE-134

Affected Products

sound4

linkandshare transmitter

1.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote, unauthenticated attackers to exploit a public-facing network application via crafted environment variables, enabling arbitrary code execution or denial of service, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://web.archive.org/web/20221207074555/https://www.sound4.com/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51259
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/sound-linkandshare-transmitter-format-string-stack-buffer-overflow
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php
Third Party Advisory · disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0