Description
Boxoft wav-wma Converter 1.0 contains a local buffer overflow vulnerability in structured exception handling that allows attackers to execute arbitrary code by crafting malicious WAV files. Attackers can create a specially crafted WAV file with excessive data and ROP gadgets to overwrite the SEH chain and achieve code execution on Windows systems.
Published: 2026-03-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution via SEH buffer overflow
Action: Immediate Patch
AI Analysis

Impact

Boxoft wav-wma Converter version 1.0 contains a local buffer overflow in its structured exception handling (SEH) logic. A malicious WAV file with excessive data can overwrite the SEH chain and redirect execution to a Return-Oriented Programming chain created by an attacker, resulting in arbitrary code execution with the privileges of the user running the converter. The flaw corresponds to CWE-787, a classic buffer overrun that directly leads to code execution.

Affected Systems

The affected product is Boxoft’s WAV to WMA Converter, version 1.0, which runs on Windows operating systems. No other versions or products were mentioned in the advisory; the exploitation relies on the Windows SEH mechanism.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and the vulnerability is not listed in the KEV catalog. EPSS information was not published. The exploit requires local file access or the ability to influence which file the converter opens; the description implies that a specially crafted WAV file can trigger the buffer overflow when opened. This inference is based on the stated need to supply such a file and is not explicitly confirmed in the advisory. If an attacker can supply or persuade a user to open a malicious file, the vulnerability can be exploited without authentication.

Generated by OpenCVE AI on March 26, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Boxoft website or vendor portal for an updated version or patch that addresses the buffer overflow.
  • If no patch is available, uninstall or disable the WAV to WMA Converter to prevent its use.
  • Do not open or process WAV files from untrusted sources until the vulnerability is addressed.

Generated by OpenCVE AI on March 26, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Boxoft
Boxoft wav To Wma Converter
Vendors & Products Boxoft
Boxoft wav To Wma Converter

Thu, 26 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description Boxoft wav-wma Converter 1.0 contains a local buffer overflow vulnerability in structured exception handling that allows attackers to execute arbitrary code by crafting malicious WAV files. Attackers can create a specially crafted WAV file with excessive data and ROP gadgets to overwrite the SEH chain and achieve code execution on Windows systems.
Title Boxoft wav-wma Converter 1.0 Local Buffer Overflow SEH
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Boxoft Wav To Wma Converter
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T13:24:13.757Z

Reserved: 2026-03-26T13:13:57.189Z

Link: CVE-2018-25212

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T14:16:04.740

Modified: 2026-03-26T15:13:15.790

Link: CVE-2018-25212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:18Z

Weaknesses