CVE-2018-14521
Description
A SEGV signal in aubio's aubio_source_avcodec_readframe function crashes aubiomfcc when processing a crafted WAV file, causing denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SEGV signal in aubio's `aubio_source_avcodec_readframe` function crashes aubiomfcc when processing a crafted WAV file, causing denial of service.
Vulnerability
In aubio version 0.4.6, a segmentation fault (SEGV) occurs in the function aubio_source_avcodec_readframe located in io/source_avcodec.c. This is triggered when a specially crafted WAV file is supplied as input to the aubiomfcc tool. The crash originates during audio decoding when the underlying FFmpeg library's swr_convert is called without proper initialization, leading to a null pointer dereference. The issue is reproduced using the aubiomfcc command-line tool included with aubio [1][4].
Exploitation
An attacker can trigger the SEGV by providing a malicious WAV file to the aubiomfcc utility (e.g., via ./aubiomfcc -i testcase1). No authentication or special privileges are required; the attacker only needs the ability to deliver the crafted file to the victim's system and have the victim run the tool. The sequence involves the victim executing aubiomfcc with the malicious input, causing the program to crash due to the uninitialized audio resampler state [4].
Impact
Successful exploitation results in a denial of service (availability impact) via a SIGSEGV crash of the aubiomfcc process. The crash does not appear to allow arbitrary code execution or information disclosure beyond a crash dump. The privilege level of the attacker is unchanged, but the application terminates abnormally, disrupting audio analysis tasks [1][4].
Mitigation
As of the available references, no official patched version of aubio has been released for CVE-2018-14521. Users are advised to limit the use of aubiomfcc to trusted audio files and consider disabling or sandboxing the tool until a fix is provided by the maintainers. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing. Users may also apply input validation or fuzzing mitigations at the system level [1][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aubioPyPI | < 0.4.7 | 0.4.7 |
Affected products
1Patches
1a81b12a3b417src/io/source_avcodec.c: give up if resampling context failed opening (see #137, closes #187)
1 file changed · +2 −0
src/io/source_avcodec.c+2 −0 modified@@ -275,6 +275,8 @@ aubio_source_avcodec_t * new_aubio_source_avcodec(const char_t * path, uint_t sa // default to mono output aubio_source_avcodec_reset_resampler(s, 0); + if (s->avr == NULL) goto beach; + s->eof = 0; s->multi = 0;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-rcv6-7hmv-fj7hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14521ghsaADVISORY
- github.com/aubio/aubio/commit/a81b12a3b4174953b3bc7ef4c37103f4d5636740ghsaWEB
- github.com/aubio/aubio/issues/187ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/aubio/PYSEC-2018-61.yamlghsaWEB
News mentions
0No linked articles in our index yet.