CVE-2021-41498
Description
Buffer overflow in ajaxsoundstudio.com Pyo < and 1.03 in the Server_jack_init function. which allows attackers to conduct Denial of Service attacks by arbitrary constructing a overlong server name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in pyo <=1.03 allows denial of service via crafted server name in Server_jack_init.
Vulnerability
A buffer overflow vulnerability exists in the Server_jack_init function of pyo, a Python DSP module, in versions up to and including 1.03 [1][2]. The function uses a fixed 32-byte buffer client_name to hold the server name, but copies the user-controlled self->serverName into it using strncpy with a limit of 31 characters, without ensuring the source string is null-terminated or within bounds. This allows an attacker to cause a buffer overflow by providing an overlong server name [2][4].
Exploitation
An attacker can exploit this vulnerability by supplying an arbitrarily long server name to the Server_jack_init function. The attacker does not require authentication, but must have the ability to set the server name parameter (e.g., via pyo script or API). No user interaction beyond crafting the input is needed. The overflow occurs during the initialization of the Jack audio backend [2][4].
Impact
Successful exploitation leads to a buffer overflow, which can crash the application, resulting in a denial of service (DoS) condition. There is no indication of code execution or privilege escalation in the available references. The impact is limited to disrupting the availability of the pyo-based application [2].
Mitigation
The vulnerability is fixed in commit 017702c73332a8560c8554a36250a6da587a2418 [4], which removes the fixed-size buffer and passes self->serverName directly to jack_client_open. Users should upgrade to a version of pyo that includes this fix (i.e., after version 1.03). If upgrading is not immediately possible, avoid passing overly long server names or restrict input length at the application level [1][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyoPyPI | < 1.0.4 | 1.0.4 |
Affected products
3- ajaxsoundstudio.com/Pyodescription
Patches
1017702c73332Removed useless string copy in the Jack backend (fixed issue #221).
1 file changed · +1 −3
src/engine/ad_jack.c+1 −3 modified@@ -493,7 +493,6 @@ int Server_jack_init(Server *self) { int i = 0; - char client_name[32]; char name[16]; const char *server_name = "server"; jack_options_t options = JackNullOption; @@ -508,7 +507,6 @@ Server_jack_init(Server *self) PyoJackBackendData *be_data = (PyoJackBackendData *) PyMem_RawMalloc(sizeof(PyoJackBackendData)); self->audio_be_data = (void *) be_data; be_data->activated = 0; - strncpy(client_name, self->serverName, 31); Py_BEGIN_ALLOW_THREADS be_data->midi_event_count = 0; @@ -523,7 +521,7 @@ Server_jack_init(Server *self) } be_data->jack_out_ports = (jack_port_t **) PyMem_RawCalloc(self->nchnls + self->output_offset, sizeof(jack_port_t *)); - be_data->jack_client = jack_client_open(client_name, options, &status, server_name); + be_data->jack_client = jack_client_open(self->serverName, options, &status, server_name); if (self->withJackMidi) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qj27-32wp-ghrgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41498ghsaADVISORY
- github.com/belangeo/pyo/commit/017702c73332a8560c8554a36250a6da587a2418ghsaWEB
- github.com/belangeo/pyo/issues/221ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/pyo/PYSEC-2021-890.yamlghsaWEB
News mentions
0No linked articles in our index yet.