CVE-2017-18236
Description
Exempi before 2.4.4 has an infinite loop in ASF_Support::ReadHeaderObject, allowing denial of service via crafted .asf file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Exempi before 2.4.4 has an infinite loop in ASF_Support::ReadHeaderObject, allowing denial of service via crafted .asf file.
Vulnerability
The vulnerability resides in the ASF_Support::ReadHeaderObject function within XMPFiles/source/FormatSupport/ASF_Support.cpp of Exempi, a library for parsing XMP metadata. The flaw allows remote attackers to cause an infinite loop by providing a crafted .asf file. Affected versions include Exempi before 2.4.4 [2].
Exploitation
An attacker must craft a malicious .asf file that triggers the infinite loop when the file is parsed by Exempi. The attack does not require authentication; any user or automated system that opens the file with Exempi can be affected. No special privileges or network position beyond delivering the file is needed [1][2].
Impact
Successful exploitation results in a denial of service, causing Exempi to hang or crash. The attacker gains no code execution or data access, but service availability is impacted [1][2].
Mitigation
The vulnerability is fixed in Exempi version 2.4.4 [2]. Red Hat issued RHSA-2019:2048 to address this for Red Hat Enterprise Linux, and Ubuntu published USN-3668-1. Users should update to the patched version or apply available distribution updates [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- osv-coords4 versionspkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 2.2.1-5.7.1+ 3 more
- (no CPE)range: < 2.2.1-5.7.1
- (no CPE)range: < 2.2.1-5.7.1
- (no CPE)range: < 2.2.1-5.7.1
- (no CPE)range: < 2.2.1-5.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ASF_Support::ReadHeaderObject function enters an infinite loop when processing a crafted .asf file."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted .asf file to an application that uses the Exempi library for parsing. The crafted file causes the ASF_Support::ReadHeaderObject function to enter an infinite loop, leading to a denial of service.
Affected code
The vulnerability resides in the ASF_Support::ReadHeaderObject function, located in the file XMPFiles/source/FormatSupport/ASF_Support.cpp.
What the fix does
The advisory indicates that an update for Exempi is available to address this issue. The specific code changes are not detailed in the provided text, but the update is intended to correct the infinite loop vulnerability in the ASF_Support::ReadHeaderObject function.
Preconditions
- inputA crafted .asf file.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- access.redhat.com/errata/RHSA-2019:2048mitrevendor-advisoryx_refsource_REDHAT
- usn.ubuntu.com/3668-1/mitrevendor-advisoryx_refsource_UBUNTU
- bugs.freedesktop.org/show_bug.cgimitrex_refsource_CONFIRM
- cgit.freedesktop.org/exempi/commit/mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2018/03/msg00013.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.