6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-20992

GHSA ID

GHSA-8c6g-4xc5-w96c

EPSS Score

0.52961%

CWE

CWE-908

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-20992

CVE-2018-20992: Uninitialized memory exposure in claxon

Affected versions of Claxon made an invalid assumption about the decode buffer size being a multiple of a value read from the bitstream. This could cause parts of the decode buffer to not be overwritten. If the decode buffer was newly allocated and uninitialized, this uninitialized memory could be exposed.

This allows an attacker to observe parts of the uninitialized memory in the decoded audio stream.

The flaw was corrected by checking that the value read from the bitstream divides the decode buffer size, and returning a format error if it does not. If an error is returned, the decode buffer is not exposed. Regression tests and an additional fuzzer have been added to prevent similar flaws in the future.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-20992

GHSA ID

GHSA-8c6g-4xc5-w96c

EPSS Score

0.52961%

CWE

CWE-908

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
claxon	rust	>= 0.4.0, < 0.4.1	0.4.1
claxon	rust	< 0.3.2	0.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems directly from the decode_residual function's handling of residual partitions:

The original code calculated n_samples = block_size >> order without validating divisibility
This could create gaps between partitions when block_size wasn't a multiple of 2^order
The buffer slicing logic (buffer[start..start + len]) would then leave portions uncovered
The commit adds critical validation (block_size & (n_partitions - 1) == 0) to prevent this
The patch modifies this specific function's partition math and adds error checking
All vulnerability descriptions point to residual decoding as the attack vector
No other functions are modified in the security-relevant commit diff

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* *l*xon m*** *n inv*li* *ssumption **out t** ***o** *u***r siz* **in* * multipl* o* * v*lu* r*** *rom t** *itstr**m. T*is *oul* **us* p*rts o* t** ***o** *u***r to not ** ov*rwritt*n. I* t** ***o** *u***r w*s n*wly *llo**t** *n* u

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** ***o**_r*si*u*l *un*tion's **n*lin* o* r*si*u*l p*rtitions: *. T** ori*in*l *o** **l*ul*t** n_s*mpl*s = *lo*k_siz* >> or**r wit*out v*li**tin* *ivisi*ility *. T*is *oul* *r**t* **ps **tw**n p*rtitions w**n *l

6.5

Basic Information

Concerned about an active attack path?

CVE-2018-20992: Uninitialized memory exposure in claxon

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI