| Titel | Symphonia symphonia-metadata <= 0.6.0 Denial of Service |
|---|
| Beschreibung | Five remotely-triggerable denial-of-service defects in the `symphonia-metadata` Rust crate (versions <= 0.6.0) allow an attacker who controls a media file's metadata blocks to cause any application using Symphonia (directly or via `rodio`, `kira`, `cpal`-based players, and similar downstream consumers) to attempt multi-gigabyte allocations and either get OS-OOM-killed, abort with `memory allocation of N bytes failed`, or be silently terminated under cgroup / serverless memory limits.
All 5 sites share the identical root-cause pattern: an attacker-controlled 32-bit length prefix is read from a metadata block (Vorbis comment, FLAC picture sub-block, or ID3v2 frame header) and passed straight to `vec![0u8; length as usize]` (or `read_boxed_slice_exact`) without bound-checking against either the remaining bytes in the enclosing metadata block or any configurable cap. Sub-100-byte adversarial payloads are sufficient to request 2.5–4.3 GiB allocations per site.
The five defect sites:
1. symphonia-metadata-0.6.0/src/vorbis.rs:175 — read_comment_no_framing
Vorbis comment length-prefix OOM. Each Vorbis comment entry is preceded by a u32 length; the parser reads `comment_length = reader.read_u32()?` and allocates `vec![0; comment_length as usize]` with no upper bound. A 50-byte fragment with a single near-u32::MAX-length comment entry forces a ~4.13 GiB allocation. Reachable on any Vorbis / Ogg / FLAC stream containing a Vorbis-comment block.
2. symphonia-metadata-0.6.0/src/flac.rs:53 — read_picture_block (media-type length)
FLAC picture-block media-type length-prefix OOM. The picture-block header contains a u32 media-type-length field that is fed unbounded to `vec![0u8; media_type_len]`. A 21-byte FLAC fragment — the smallest reproducer in our corpus — forces a ~4.19 GiB allocation. Reachable on any FLAC stream containing a picture block (METADATA_BLOCK_PICTURE), which is the standard mechanism for embedded cover art.
3. symphonia-metadata-0.6.0/src/flac.rs:66 — read_picture_block (description length)
FLAC picture-block description length-prefix OOM. Same `read_picture_block` function, distinct sink: the u32 description-length field. A 53-byte fragment forces a ~4.23 GiB allocation.
4. symphonia-metadata-0.6.0/src/flac.rs:95 — read_picture_block (picture-data length)
FLAC picture-block picture-data length-prefix OOM. Same function, third sink: the u32 picture-data-length field passed to `read_boxed_slice_exact`. A 53-byte fragment forces a ~2.48 GiB allocation. Together with sites #2 and #3, this means a single malformed picture block can drive three separate multi-GB allocations within one function.
5. symphonia-metadata-0.6.0/src/id3v2/frames.rs:527 — read_id3v2p3_frame
ID3v2.3 frame body length-prefix OOM. Each ID3v2.3 frame header advertises a u32 body size that is consumed by `read_boxed_slice_exact(size as usize)` without bound-checking against the actual remaining tag length. A 30-byte fragment forces a ~4.29 GiB allocation. **This site has the broadest attack surface of the five**: ID3v2 tags are the de-facto-standard metadata mechanism for MP3 (and ID3v2-in-WAV, ID3v2-in-AIFF), so virtually any application that plays untrusted MP3 files is exposed.
Remote attacker requires no privileges, no user interaction beyond the application opening the file, and the impact is full Availability loss. Under cgroup / container / serverless memory limits the host process is OOM-killed; in shared multi-tenant environments (CI runners, SaaS media transcoders, edge audio decoders) concurrent attacks against multiple workers can exhaust host memory and cascade-kill sibling jobs.
Affected attack surfaces:
- Media servers and transcoders (Jellyfin, Plex plugins, audio preview generators, podcast indexing pipelines)
- Desktop music players using Symphonia, rodio, or kira (Spotify-style clients, audio metadata scanners)
- Game engines using rodio/symphonia for music/SFX (Bevy, ggez, and others)
- Audio metadata extractors in user-upload pipelines (Soundcloud-style, music distribution platforms)
- Browser-extension and IDE preview-pane audio decoders
- Serverless / edge audio decoders (functions terminate mid-execution under memory cap)
|
|---|
| Quelle | ⚠️ https://github.com/pdeljanov/Symphonia/issues/508 |
|---|
| Benutzer | Zyz3366 (UID 97230) |
|---|
| Einreichung | 09.06.2026 06:46 (vor 1 Monat) |
|---|
| Moderieren | 09.07.2026 17:02 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 377216 [pdeljanov Symphonia bis 0.6.0 Metadata Denial of Service] |
|---|
| Punkte | 20 |
|---|