CVE-2023-45679 – CVE-2023-45679 is a double-free vulnerability i... (How to Fix)

Q: What is the severity of CVE-2023-45679?

CVE-2023-45679 has a CVSS score of 7.3 (HIGH). CVE-2023-45679 is a double-free vulnerability in stb_vorbis library that occurs when processing malicious Ogg Vorbis files. If exploited, it could lead to arbitrary code execution. Any application using the vulnerable stb_vorbis library to process untrusted audio files is affected.

📋 TL;DR

CVE-2023-45679 is a double-free vulnerability in stb_vorbis library that occurs when processing malicious Ogg Vorbis files. If exploited, it could lead to arbitrary code execution. Any application using the vulnerable stb_vorbis library to process untrusted audio files is affected.

💻 Affected Systems

Products:

Any software using stb_vorbis library

Versions: All versions before the fix commit 5736b15f7ea0ffb08dd38af21067c314d6a3aae9

Operating Systems: All platforms (Windows, Linux, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when processing Ogg Vorbis files. Applications must use the stb_vorbis library directly.

📦 What is this software?

Stb Vorbis.c by Nothings

View all CVEs affecting Stb Vorbis.c →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application processing the audio file, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or limited code execution depending on memory layout and exploit sophistication.

🟢

If Mitigated

Application crash without code execution if memory protections (ASLR, DEP) are effective.

🌐 Internet-Facing: MEDIUM - Requires processing untrusted audio files, which is common in web applications, media players, and games.

🏢 Internal Only: LOW - Only affects systems processing malicious audio files, which is less common internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious Ogg Vorbis file that triggers memory allocation failure. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 5736b15f7ea0ffb08dd38af21067c314d6a3aae9

Vendor Advisory: https://github.com/nothings/stb/commit/5736b15f7ea0ffb08dd38af21067c314d6a3aae9

Restart Required: Yes

Instructions:

1. Update stb_vorbis.c to version with commit 5736b15f7ea0ffb08dd38af21067c314d6a3aae9 or later. 2. Recompile all applications using the library. 3. Restart affected services.

🔧 Temporary Workarounds

Disable Ogg Vorbis processing

all

Temporarily disable processing of Ogg Vorbis files in applications until patched.

Input validation

all

Implement strict file type validation and reject suspicious Ogg Vorbis files.

🧯 If You Can't Patch

Implement application sandboxing to limit impact of potential code execution
Use memory protection mechanisms (ASLR, DEP) and monitor for crashes

🔍 How to Verify

Check if Vulnerable:

Check if your stb_vorbis.c file contains the vulnerable code at lines 3660-3677 and 4208-4215 from the referenced commit.

Check Version:

grep -n "start_decoder\|setup_free" stb_vorbis.c && check git log for commit 5736b15f7ea0ffb08dd38af21067c314d6a3aae9

Verify Fix Applied:

Verify stb_vorbis.c has been updated to commit 5736b15f7ea0ffb08dd38af21067c314d6a3aae9 or later.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing audio files
Memory allocation failures in audio processing

Network Indicators:

Unusual Ogg Vorbis file uploads to web applications

SIEM Query:

Process crashes with stb_vorbis in stack trace OR audio file processing errors

📊 Metadata

CVE ID: CVE-2023-45679

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-415

Published: October 21, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677 Third Party Advisory
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L4208-L4215 Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ Third Party Advisory
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L3660-L3677 Third Party Advisory
https://github.com/nothings/stb/blob/5736b15f7ea0ffb08dd38af21067c314d6a3aae9/stb_vorbis.c#L4208-L4215 Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45679, you might also want to check these: