{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2024-10573: Out-of-bounds write during PCM decoding of crafted streams\n could lead to heap corruption and potential arbitrary code execution; decode\n the MPEG header into a temporary copy that is only applied to the live\n handle after the frame body is validated (upstream svn-r5442, main fix), and\n gate decode_the_frame() behind a FRAME_DECODER_LIVE state bit so it cannot\n run with stale state when decode_update() failed (upstream svn-r4991 plus\n the bug-324 precedence fix from 1.29.2, follow-up safeguard).", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779694248", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779694248" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1779694248.json" } ], "tracking": { "current_release_date": "2026-05-25T07:31:40Z", "generator": { "date": "2026-05-25T07:31:40Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1779694248", "initial_release_date": "2026-05-25T07:31:40Z", "revision_history": [ { "date": "2026-05-25T07:31:40Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "mpg123: Fix of CVE-2024-10573" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product": { "name": "mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_id": "mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mpg123-plugins-pulseaudio@1.26.2-5.el9_2.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product": { "name": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_id": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mpg123-libs@1.26.2-5.el9_2.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product": { "name": "mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_id": "mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mpg123@1.26.2-5.el9_2.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product": { "name": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_id": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mpg123-devel@1.26.2-5.el9_2.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686", "product": { "name": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686", "product_id": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mpg123-libs@1.26.2-5.el9_2.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686", "product": { "name": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686", "product_id": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mpg123-devel@1.26.2-5.el9_2.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64" }, "product_reference": "mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686" }, "product_reference": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64" }, "product_reference": "mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64" }, "product_reference": "mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686" }, "product_reference": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64" }, "product_reference": "mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-10573", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686", "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686", "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-10573" } ], "release_date": "2024-10-30T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-25T07:30:51.705459Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779694248", "product_ids": [ "AlmaLinux-9.2:mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686", "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686", "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779694248" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:mpg123-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.i686", "AlmaLinux-9.2:mpg123-devel-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.i686", "AlmaLinux-9.2:mpg123-libs-0:1.26.2-5.el9_2.tuxcare.els1.x86_64", "AlmaLinux-9.2:mpg123-plugins-pulseaudio-0:1.26.2-5.el9_2.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }