A critical vulnerability has been identified in multiple products from the vendor "An," stemming from a flaw in the Monkey's Audio library. This out-of-bounds read vulnerability can be triggered by processing a specially crafted audio file, potentially allowing an attacker to crash the application or read sensitive information from the system's memory.

A critical out-of-bounds read vulnerability exists in the CAPECharacterHelper::GetUTF16FromUTF8 function within the Monkey's Audio library. The flaw is due to improper validation of the length parameter during the conversion of UTF-8 character strings to UTF-16. An attacker can exploit this by crafting a malicious audio file with specific metadata that, when processed by the vulnerable function, causes the application to read data from memory locations outside of the intended buffer. This can lead to a denial-of-service (DoS) through an application crash or, more severely, the disclosure of sensitive information residing in the application's memory.

This vulnerability is rated as critical with a CVSS score of 9.1, posing a significant risk to the organization. Successful exploitation could lead to severe consequences, including application or system-wide denial-of-service, which disrupts business operations. Furthermore, the potential for information disclosure could result in a data breach, exposing confidential business data, user credentials, or other sensitive information stored in memory. Such an incident could lead to significant financial loss, reputational damage, and regulatory penalties.

Immediate Action:

• Identify all systems running the affected "An Multiple Products" software.
• Update all identified instances of "An Multiple Products" to the latest patched version as recommended by the vendor.
• Prioritize patching for internet-facing systems and critical servers that process external or user-supplied audio files.

Proactive Monitoring:

• Monitor application logs for unexpected crashes or errors, particularly those related to audio file processing.
• Review system and security logs for any anomalous activity on affected hosts following the processing of audio files.
• Implement network monitoring to detect and alert on attempts to send malicious audio files to vulnerable systems.

Compensating Controls:

• If immediate patching is not feasible, restrict the processing of audio files from untrusted or external sources.
• Implement strict file validation and sanitization at the application ingress point to reject malformed files before they are processed by the vulnerable library.
• Run the affected applications in a sandboxed or containerized environment to limit the impact of a potential memory disclosure or crash.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) of this vulnerability, immediate action is required. We strongly recommend that all affected "An Multiple Products" are patched on a priority basis. Although there is no current evidence of active exploitation or inclusion in the CISA KEV catalog, the high potential for information disclosure and denial-of-service makes this an attractive target for threat actors. If patching cannot be immediately deployed, the compensating controls listed above should be implemented without delay to mitigate risk.