CVE-2024-41147
Published: 04 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
An out-of-bounds write vulnerability, tracked as CVE-2024-41147 and published on 2025-03-04, affects the ma_dr_flac__decode_samples__lpc functionality in Miniaudio version 0.11.21. This flaw, associated with CWE-122, can be triggered by a specially crafted FLAC file, resulting in memory corruption. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H), indicating high severity due to potential impacts on integrity and availability.
A remote attacker with no privileges or user interaction required can exploit this vulnerability over the network, though it demands high attack complexity. By providing a malicious FLAC file to an application using the affected Miniaudio component for decoding, the attacker can induce memory corruption, potentially leading to arbitrary code execution, data tampering, or denial of service.
The primary advisory from Talos Intelligence, available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2063, documents the vulnerability in detail. Security practitioners should consult this report for technical analysis, reproduction steps, and recommended mitigations, such as updating to a patched version of Miniaudio if available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The out-of-bounds write in FLAC decoding enables remote exploitation via a malicious file leading to memory corruption and arbitrary code execution in applications processing such files over the network with no user interaction required.