CVE-2022-2476

2022-07-1920:15:11

CWE-476

[email protected]

web.nvd.nist.gov

information security

cve-2022-2476

wavpack-5.4.0

null pointer dereference

asan

addresssanitizer

nvd

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.2%

JSON

A null pointer dereference bug was found in wavpack-5.4.0 The results from the ASAN log: AddressSanitizer:DEADLYSIGNAL ===================================================================84257==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561b47a970c6 bp 0x7fff13952fb0 sp 0x7fff1394fca0 T0) ==84257==The signal is caused by a WRITE memory access. ==84257==Hint: address points to the zero page. #0 0x561b47a970c5 in main cli/wvunpack.c:834 #1 0x7efc4f5c0082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #2 0x561b47a945ed in _start (/usr/local/bin/wvunpack+0xa5ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV cli/wvunpack.c:834 in main ==84257==ABORTING

Affected configurations

Vulners

NVD

Node

wavpackwavpackRange≤5.5.0

VendorProductVersionCPE
wavpackwavpack*cpe:2.3:a:wavpack:wavpack:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wavpack	wavpack	*	cpe:2.3:a:wavpack:wavpack::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Wavpack",
    "versions": [
      {
        "version": "5.5.0",
        "status": "affected"
      }
    ]
  }
]