CVE-2018-19802
Description
aubio v0.4.0 to v0.4.8 contains a NULL pointer dereference in new_aubio_onset, triggering a crash via crafted audio input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
aubio v0.4.0 to v0.4.8 contains a NULL pointer dereference in new_aubio_onset, triggering a crash via crafted audio input.
Vulnerability
Details
CVE-2018-19802 is a NULL pointer dereference vulnerability found in the aubio audio analysis library, affecting versions 0.4.0 through 0.4.8. The flaw resides in the new_aubio_onset function, which is responsible for initializing onset detection objects. When specially crafted audio data is processed, the function can dereference a NULL pointer, leading to an immediate crash of the application [1][2].
Exploitation
Context
The vulnerability can be triggered remotely if an attacker can supply a malicious audio file to an application using the vulnerable aubio library. No authentication is required, and the attack vector is over the network via crafted audio input. The crash occurs during the onset detection setup phase, meaning simply opening or analyzing a malicious file can cause the denial of service [1][2].
Impact
Successful exploitation results in a denial of service (application crash). There is no known code execution impact; the vulnerability is limited to causing a NULL pointer dereference, which reliably terminates the affected process [1][2].
Mitigation
The issue was fixed in aubio version 0.4.9, as documented in the changelog [4]. Users should upgrade to this version or later. The vulnerability is also tracked in the PyPA advisory database for Python packages [3]. Affected distributions, including openSUSE, have released security updates [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aubioPyPI | >= 0.4.0, < 0.4.9 | 0.4.9 |
Affected products
8- aubio/aubiodescription
- ghsa-coords7 versionspkg:pypi/aubiopkg:rpm/opensuse/aubio&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/aubio&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/python-aubio&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/python-aubio&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/aubio&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/python-aubio&distro=SUSE%20Package%20Hub%2015
>= 0.4.0, < 0.4.9+ 6 more
- (no CPE)range: >= 0.4.0, < 0.4.9
- (no CPE)range: < 0.4.6-lp151.6.3.1
- (no CPE)range: < 0.4.6-lp151.6.3.1
- (no CPE)range: < 0.4.6-lp151.6.3.1
- (no CPE)range: < 0.4.6-lp151.6.3.1
- (no CPE)range: < 0.4.6-bp150.3.12.1
- (no CPE)range: < 0.4.6-bp150.3.12.1
Patches
1c5ee1307bdc0[notes] prevent null pointer dereference
1 file changed · +4 −0
src/notes/notes.c+4 −0 modified@@ -83,6 +83,7 @@ aubio_notes_t * new_aubio_notes (const char_t * method, o->isready = 0; o->onset = new_aubio_onset (onset_method, o->onset_buf_size, o->hop_size, o->samplerate); + if (o->onset == NULL) goto fail; if (o->onset_threshold != 0.) aubio_onset_set_threshold (o->onset, o->onset_threshold); o->onset_output = new_fvec (1); @@ -99,6 +100,9 @@ aubio_notes_t * new_aubio_notes (const char_t * method, o->note_buffer = new_fvec(o->median); o->note_buffer2 = new_fvec(o->median); + if (!o->onset_output || !o->pitch_output || + !o->note_buffer || !o->note_buffer2) goto fail; + o->curnote = -1.; o->newnote = 0.;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- lists.opensuse.org/opensuse-security-announce/2019-06/msg00063.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00067.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-08/msg00003.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-08/msg00012.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-c6jq-h4jp-72prghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYIKPYXZIWYWWNNORSKWRCFFCP6AFMRZ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHIRMWW4JQ6UHJK4AVBJLFRLE2TPKC2W/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-19802ghsaADVISORY
- github.com/aubio/aubio/blob/0.4.9/ChangeLogghsax_refsource_MISCWEB
- github.com/aubio/aubio/commit/c5ee1307bdc004e43302abeca1802c2692b33a8eghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/aubio/PYSEC-2019-164.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYIKPYXZIWYWWNNORSKWRCFFCP6AFMRZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHIRMWW4JQ6UHJK4AVBJLFRLE2TPKC2WghsaWEB
News mentions
0No linked articles in our index yet.