Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jz5a-vech-d3hx
Vulnerability ID VCID-jz5a-vech-d3hx
Aliases CVE-2012-0270
Summary Multiple stack-based buffer overflows in Csound before 5.16.6 allow remote attackers to execute arbitrary code via a crafted (1) hetro file to the getnum function in util/heti_main.c or (2) PVOC file to the getnum function in util/pv_import.c.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.75449 https://api.first.org/data/v1/epss?cve=CVE-2012-0270
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2012-0270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0270
661197 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661197
CVE-2012-0270;OSVDB-79491 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/windows/local/18710.rb
Data source Exploit-DB
Date added April 6, 2012
Description Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)
Ransomware campaign use Known
Source publication date April 6, 2012
Exploit type local
Platform windows
Source update date April 6, 2012
Data source Metasploit
Description This module exploits a buffer overflow in Csound before 5.16.6. The overflow occurs when trying to import a malicious hetro file from tabular format. In order to achieve exploitation the user should import the malicious file through csound with a command like "csound -U het_import msf.csd file.het". This exploit doesn't work if the "het_import" command is used directly to convert the file.
Note 
Reliability:
  - unknown-reliability
Stability:
  - unknown-stability
SideEffects:
  - unknown-side-effects
Ransomware campaign use Unknown
Source publication date Feb. 23, 2012
Platform Windows
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/fileformat/csound_getnum_bof.rb
There are no known vectors.
Exploit Prediction Scoring System (EPSS)
Percentile 0.98913
EPSS Score 0.75449
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T13:41:26.237691+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0