CVE-2026-34253

Vulnerability

Description A buffer underflow vulnerability exists in the remotethread function of ogg123 from vorbis-tools 1.4.3, located in remote.c at line 153 [2]. The issue arises when processing malformed input in the remote control functionality, leading to a stack buffer underflow. This was reported via a GitLab issue with a reproduction using AddressSanitizer, confirming the underflow write [1].

Exploitation

An attacker can trigger the vulnerability by sending specially crafted data to the remote control interface when ogg123 is launched with the -R flag. The reproduction demonstrates sending bytes over a pipe, but the same principle applies over network connections if remote control is enabled. No authentication is required to send commands, making the attack surface accessible to any entity that can reach the listening endpoint.

Impact

A successful exploit can cause the application to crash, as shown by the AddressSanitizer stack-buffer-underflow report. While not confirmed in the report, such memory corruption may be leveraged for arbitrary code execution, depending on the exploitability of the underflow. The vulnerability is rated as High severity due to the potential for code execution and the remote attack vector.

Mitigation

As of the publication date, no official patch has been released. Users are advised to disable the remote control functionality if not required, or restrict network access to the affected service. Monitor the GitLab issue [1] for updates on a fix.