CVE-2019-16095

Vulnerability

CVE-2019-16095 is an invalid read vulnerability in Symonics libmysofa version 0.7, specifically within the getDimension function found in hrtf/reader.c [2]. The library parses HRTFs stored in the SOFA (AES69-2015) format; when processing a crafted SOFA file, the code can read beyond allocated memory boundaries, causing undefined behavior [1].

Exploitation

An attacker can exploit this issue by supplying a specially crafted SOFA file to an application that uses libmysofa to process HRTF data. No special network position or authentication is required—the vulnerability is triggered during file parsing. The attacker does not need to interact with the system beyond delivering the malicious file to the processing application [1][2].

Impact

Successful exploitation allows an attacker to cause a denial of service via application crash or potentially other unspecified impacts due to memory corruption. The exact impact beyond denial of service has not been detailed, but the invalid read could lead to information disclosure or arbitrary code execution depending on memory layout [1].

Mitigation

Ubuntu published a security update in USN-4473-1 on 26 August 2020, fixing libmysofa to version 0.7-1build1 for Ubuntu 18.04 LTS [1]. Users should upgrade to the patched version as soon as possible. No workarounds are available for version 0.7; the only mitigation is to apply the package update.