CVE-2018-14522
Description
A segmentation fault in aubio 0.4.6's aubio_pitch_set_unit function can be triggered via aubionotes, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A segmentation fault in aubio 0.4.6's aubio_pitch_set_unit function can be triggered via aubionotes, leading to denial of service.
Vulnerability
A segmentation fault (SEGV) occurs in the aubio_pitch_set_unit function in pitch/pitch.c of aubio version 0.4.6. The crash is triggered when the aubionotes tool processes a crafted audio file, as demonstrated by an AddressSanitizer report showing a null pointer dereference at line 324 of pitch.c [1][4]. The vulnerable code path is reachable through the new_aubio_notes function in notes/notes.c [4].
Exploitation
An attacker can cause the crash by providing a specially crafted audio file to the aubionotes command-line tool. No authentication or special privileges are required; the attacker only needs to supply the malicious file to a user running aubionotes. The crash occurs immediately upon processing the file, without requiring any user interaction beyond launching the tool [4].
Impact
Successful exploitation results in a denial of service (DoS) via application crash. The SEGV signal terminates the aubionotes process, and any application using the aubio library that calls aubio_pitch_set_unit with untrusted input could be similarly affected. No code execution or data exfiltration has been reported [1][4].
Mitigation
As of the available references, no patch or fixed version has been disclosed for this vulnerability. Users should monitor the aubio project for updates and consider avoiding processing untrusted audio files with aubionotes or other tools that invoke the vulnerable function until a fix is released [1][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aubioPyPI | < 0.4.7 | 0.4.7 |
Affected products
3- ghsa-coords3 versionspkg:pypi/aubiopkg:rpm/suse/aubio&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/python-aubio&distro=SUSE%20Package%20Hub%2015
< 0.4.7+ 2 more
- (no CPE)range: < 0.4.7
- (no CPE)range: < 0.4.6-bp150.3.3.1
- (no CPE)range: < 0.4.6-bp150.3.3.1
Patches
199c7aa2e3efesrc/io/source_wavread.c: also exit if samplerate is negative (closes #188)
1 file changed · +2 −2
src/io/source_wavread.c+2 −2 modified@@ -195,8 +195,8 @@ aubio_source_wavread_t * new_aubio_source_wavread(const char_t * path, uint_t sa goto beach; } - if ( sr == 0 ) { - AUBIO_ERR("source_wavread: Failed opening %s (samplerate can not be 0)\n", s->path); + if ( (sint_t)sr <= 0 ) { + AUBIO_ERR("source_wavread: Failed opening %s (samplerate can not be <= 0)\n", s->path); goto beach; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.opensuse.org/opensuse-security-announce/2019-03/msg00031.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-04/msg00071.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-g7g8-mx45-x4c8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14522ghsaADVISORY
- github.com/aubio/aubio/commit/99c7aa2e3efec988a5f81018b48d9388ff24bba1ghsaWEB
- github.com/aubio/aubio/issues/188ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/aubio/PYSEC-2018-62.yamlghsaWEB
News mentions
0No linked articles in our index yet.