CVE-2024-5197

CVE Details

Release Date:2024-06-04

Description


There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond

See more information about CVE-2024-5197 from MITRE CVE dictionary and NIST NVD


CVSS Scoring


NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector: Network Attack Complexity: High
Privileges Required: Low User Interaction: Required
Scope: Unchanged Confidentiality Impact: High
Integrity Impact: High Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (libvpx)ELSA-2024-59412024-08-28
Oracle Linux version 9 (libvpx)ELSA-2024-98272024-11-18


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete