VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 15, 2019· Updated Aug 4, 2024

CVE-2019-8357

CVE-2019-8357

Description

A NULL pointer dereference in SoX 14.4.2's lsx_make_lpf function allows denial of service via a crafted MP3 file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in SoX 14.4.2's lsx_make_lpf function allows denial of service via a crafted MP3 file.

Vulnerability

In SoX version 14.4.2, the function lsx_make_lpf in effect_i_dsp.c does not validate a pointer h before dereferencing it, leading to a NULL pointer dereference. This occurs when processing a specially crafted MP3 file with specific command-line options such as --single-threaded and rate, channels, etc. [3]

Exploitation

An attacker can provide a malicious MP3 file to trigger the vulnerability. The bug is reachable by invoking SoX with arguments like --single-threaded -t aiff /dev/null channels 1 rate 16k fade 3 norm. No authentication is required; the attacker only needs to convince a user to process the file with SoX. [3]

Impact

Exploitation results in a segmentation fault (crash), causing a denial of service. No code execution is reported. The crash affects the availability of the application. [3]

Mitigation

Fixed in SoX versions after 14.4.2. Ubuntu released updates in USN-4079-1 (for 16.04 LTS) and USN-4079-2 (for 18.04 LTS and 19.04) on July 30 and August 1, 2019, respectively [1][2]. Users should upgrade to the latest patched version. No workaround is documented.

References
  1. USN-4079-1: SoX vulnerabilities | Ubuntu security notices | Ubuntu
  2. USN-4079-2: SoX vulnerabilities | Ubuntu security notices | Ubuntu
  3. SoX - Sound eXchange / Bugs

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.