Description
A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package in function remotethread in remote.c. This vulnerability occurs in the remote control functionality when processing malformed input, leading to a stack buffer underflow that can cause application crashes and potentially allow code execution.
Published: 2026-05-15
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer underflow in the ogg123 utility’s remotethread function can corrupt the stack when it processes malformed remote control inputs. The flaw, identified as an incorrect calculation for buffer size or offset, may lead to application crashes and, in the worst case, exploitation that allows an attacker to execute arbitrary code. The weakness corresponds to CWE-124.

Affected Systems

The vulnerability affects the ogg123 player shipped with the vorbis‑tools 1.4.3 package. No alternative versions or additional vendor details are reported. Users running this specific release should be aware of the risk.

Risk and Exploitability

The flaw has a CVSS score of 8.2, signalling a high severity level. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, yet the high CVSS still points to significant risk. The flaw can be triggered via the remote control interface of ogg123, making it accessible to any host that can communicate with the service; a crafted command can overflow a stack buffer, potentially leading to denial of service or execution of arbitrary code.

Generated by OpenCVE AI on May 15, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vorbis-tools to a version that resolves the stack underflow in ogg123.
  • If an upgrade is not immediately possible, disable the remote control feature or block network traffic that can reach the remote interface.
  • Apply any vendor‑released patches or updates as soon as they become available and monitor official advisories for further guidance.

Generated by OpenCVE AI on May 15, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Stack Buffer Underflow in ogg123 Remote Control Function
Weaknesses CWE-681
CWE-787

Fri, 15 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Xiph
Xiph vorbis-tools
Vendors & Products Xiph
Xiph vorbis-tools

Fri, 15 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Stack Buffer Underflow in ogg123 Remote Control Function
Weaknesses CWE-681
CWE-787

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-124
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package in function remotethread in remote.c. This vulnerability occurs in the remote control functionality when processing malformed input, leading to a stack buffer underflow that can cause application crashes and potentially allow code execution.
References

Subscriptions

Xiph Vorbis-tools
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T15:26:22.404Z

Reserved: 2026-03-26T00:00:00.000Z

Link: CVE-2026-34253

cve-icon Vulnrichment

Updated: 2026-05-15T15:26:17.037Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:51.073

Modified: 2026-05-15T16:16:14.190

Link: CVE-2026-34253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T19:00:07Z

Weaknesses