An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser component contains a vulnerability that allows writing to memory because ParseWave64HeaderConfig in wave64.c does not reject multiple format chunks.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.0"
},
{
"last_affected": "8.0"
},
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
}
],
"source": "CPE_STRING",
"vendor_product": "debian:debian_linux"
}
]
}{
"cpe": "cpe:2.3:a:wavpack:wavpack:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "5.1.0"
}
]
}[
{
"source": "https://github.com/dbry/wavpack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"184646861603546030796083882222520450240",
"84312685334654223078823520833341925555",
"154082140996508720341843738016562010053",
"252660553131924893101833006221813729282",
"1343942213833317061756424501775694324",
"308077053378223483629199569743747749424",
"93649652678570829531834480878423478937"
]
},
"id": "CVE-2018-10537-504d4a8e",
"signature_type": "Line",
"target": {
"file": "cli/riff.c"
}
},
{
"source": "https://github.com/dbry/wavpack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "140476048034579333997910718229279907451",
"length": 7983.0
},
"id": "CVE-2018-10537-73ffe786",
"signature_type": "Function",
"target": {
"function": "ParseRiffHeaderConfig",
"file": "cli/riff.c"
}
},
{
"source": "https://github.com/dbry/wavpack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "118300800463717199926781613989967737417",
"length": 6624.0
},
"id": "CVE-2018-10537-96af42bf",
"signature_type": "Function",
"target": {
"function": "ParseWave64HeaderConfig",
"file": "cli/wave64.c"
}
},
{
"source": "https://github.com/dbry/wavpack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"332865019631066372223500709303797431877",
"280271726020800377614925935580540570684",
"138012726190409765382337285991215305476",
"286662417744728389179015073645145507988",
"106166235591341177200476569566427557660",
"69502089290313573260304176946327060439",
"60925149395709222123254455234564749263"
]
},
"id": "CVE-2018-10537-9901ed41",
"signature_type": "Line",
"target": {
"file": "cli/wave64.c"
}
}
]
"2026-07-08T14:59:16Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10537.json"