CVE-2022-31651
Description
SoX 14.4.2 has a reachable assertion failure in rate_init() in rate.c, leading to a denial of service when processing crafted audio files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SoX 14.4.2 has a reachable assertion failure in rate_init() in rate.c, leading to a denial of service when processing crafted audio files.
Vulnerability
In SoX (Sound eXchange) version 14.4.2, there is an assertion failure in the function rate_init located in rate.c in libsox.a. The assertion factor > 0 fails when processing a specially crafted audio file (e.g., an AIFF file with specific parameters), because the computed resampling factor becomes zero or negative [1][2]. This occurs in the latest commit at the time of reporting (42b3557e13e0fe01a83465b672d89faddbe65f49) [2].
Exploitation
An attacker can trigger the assertion failure by providing a malicious audio file (e.g., AIFF) to SoX and running a command like sox --single-threaded crafted.aiff /dev/null [2]. No authentication or special network position is required—only local access to create a crafted file. The vulnerability is reachable without any race window or user interaction beyond opening the file [2].
Impact
Successful exploitation results in a crash of SoX due to an assertion failure, causing a denial of service. The assertion is triggered before reaching any critical code paths, so no arbitrary code execution, information disclosure, or privilege escalation is expected. The impact is limited to availability [1][2].
Mitigation
As of the available references, no official patch has been released by the SoX upstream (which is mostly inactive). The repository maintainer noted that the bug is “not likely exploitable” [1]. Users can apply a patch from the oss-security mailing list that fixes the truncation issue leading to the assertion [1]. Alternatively, avoid processing untrusted audio files with SoX until a fix is applied. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Range: = 14.4.2
- osv-coords5 versionspkg:rpm/opensuse/sox&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/sox&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/sox&distro=openSUSE%20Tumbleweedpkg:rpm/suse/sox&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/sox&distro=SUSE%20Package%20Hub%2015%20SP5
< 14.4.2-bp154.2.3.1+ 4 more
- (no CPE)range: < 14.4.2-bp154.2.3.1
- (no CPE)range: < 14.4.2-bp155.3.3.1
- (no CPE)range: < 14.4.2-8.1
- (no CPE)range: < 14.4.2-bp154.2.3.1
- (no CPE)range: < 14.4.2-bp155.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation allows a computed rate factor to be zero or negative, triggering a reachable assertion failure in rate_init."
Attack vector
An attacker provides a crafted AIFF file as input to SoX. When SoX processes the file with the command `./sox --single-threaded <poc> -t aiff /dev/null`, the `rate_init` function is called with a computed `factor` value that is zero or negative, triggering the assertion `factor > 0` at `rate.c:303` [ref_id=1]. The attacker does not need authentication; the only precondition is that SoX processes the malicious file.
Affected code
The vulnerability is in the `rate_init` function in `rate.c` at line 303, where an assertion `factor > 0` fails [ref_id=1]. The affected code is within the SoX library (`libsox.a`) at commit 42b3557e13e0fe01a83465b672d89faddbe65f49 [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory reports the bug as a reachable assertion failure in `rate_init` at `rate.c:303` [ref_id=1]. To fix this, the code should validate the computed `factor` value before the assertion, handling cases where `factor <= 0` gracefully (e.g., returning an error) rather than aborting.
Preconditions
- inputSoX must process a crafted AIFF file provided by the attacker.
- configThe command must be run with --single-threaded (or equivalent) to trigger the assertion in rate_init.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.debian.org/security/2023/dsa-5356mitrevendor-advisory
- www.openwall.com/lists/oss-security/2023/02/03/3mitremailing-list
- lists.debian.org/debian-lts-announce/2023/02/msg00009.htmlmitremailing-list
- sourceforge.net/p/sox/bugs/360/mitre
News mentions
0No linked articles in our index yet.