Sound Exchange libsox sphere.c start_read() heap-based buffer overflow vulnerability [CVE-2021-40426]

CVE number = CVE-2021-40426

Libsox is a well-aged library used for cross-platform audio editing software, originally written in 1991. After decades of development, a wide range of file formats are supported, including .wav, .flac, and .mp3 (with the aid of an external library).

A heap-based buffer overflow vulnerability exists in the sphere.c start_read() functionality of Sound Exchange libsox 14.4.2 and master commit 42b3557e.

A specially-crafted file can lead to a heap buffer overflow.

An attacker can provide a malicious file to trigger this vulnerability.

Tested Versions

Sound Exchange libsox 14.4.2
Sound Exchange libsox master commit 42b3557e

Luke Simmonds

Blogger at

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: