{"id":"CVE-2016-10172","details":"The read_new_config_info function in open_utils.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file.","modified":"2026-04-11T19:42:46.117574Z","published":"2017-03-14T14:59:00.307Z","related":["SUSE-SU-2018:0607-1","SUSE-SU-2018:0608-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95883"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2017/01/28/9"},{"type":"FIX","url":"https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc"},{"type":"EVIDENCE","url":"https://sourceforge.net/p/wavpack/mailman/message/35561951/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dbry/WavPack","events":[{"introduced":"0"},{"last_affected":"2c5f8995aadbb9fe744cf0d88fe69ee9fbe8abdb"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:wavpack_project:wavpack:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"5.0.0"}]}}],"versions":["4.70.0","4.70.0-rc","4.75.0","4.75.0-rc","4.75.2","4.80.0","4.80.0-rc","5.0.0","5.0.0-alpha","5.0.0-alpha2","5.0.0-alpha3","5.0.0-alpha4","5.0.0-alpha5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10172.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/dbry/wavpack","events":[{"introduced":"0"},{"fixed":"4bc05fc490b66ef2d45b1de26abf1455b486b0dc"}],"database_specific":{"source":"REFERENCES"}}],"versions":["4.70.0","4.70.0-rc","4.75.0","4.75.0-rc","4.75.2","4.80.0","4.80.0-rc","5.0.0","5.0.0-alpha","5.0.0-alpha2","5.0.0-alpha3","5.0.0-alpha4","5.0.0-alpha5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10172.json","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["258850288732523643512675473133534382534","220347052653996422538150640887459021458","164662209618117995073184152411630754512","229981819128427362146009415295274641495","185889359717517232897891319245691122292","331743087455671763299233936012568132181","25564655387442595063734045720924497048","144707297014856422073319844326463066547"]},"source":"https://github.com/dbry/wavpack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc","id":"CVE-2016-10172-8ae8fa06","signature_version":"v1","target":{"file":"src/open_utils.c"},"deprecated":false,"signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["220368600512407806609558388534790306706","308456421510775067050619380014020586139","117541840331745660331830910238677499720","283477992805437530837810981096645513154"]},"source":"https://github.com/dbry/wavpack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc","id":"CVE-2016-10172-bcd82de9","signature_version":"v1","target":{"file":"src/read_words.c"},"deprecated":false,"signature_type":"Line"},{"digest":{"function_hash":"164253035093328456349796014300482149401","length":5248},"source":"https://github.com/dbry/wavpack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc","id":"CVE-2016-10172-ebcacf67","signature_version":"v1","target":{"function":"get_word","file":"src/read_words.c"},"deprecated":false,"signature_type":"Function"},{"digest":{"function_hash":"336068580949872724902448003637322357508","length":1030},"source":"https://github.com/dbry/wavpack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc","id":"CVE-2016-10172-ec847c9e","signature_version":"v1","target":{"function":"read_new_config_info","file":"src/open_utils.c"},"deprecated":false,"signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T19:42:46Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}