{"url":"http://public2.vulnerablecode.io/api/packages/23168?format=json","purl":"pkg:deb/debian/alsa-lib@1.2.4-1.1?distro=trixie","type":"deb","namespace":"debian","name":"alsa-lib","version":"1.2.4-1.1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.2.4-1.1+deb11u1","latest_non_vulnerable_version":"1.2.4-1.1+deb11u1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/199948?format=json","vulnerability_id":"VCID-3nz3-b8qd-rydp","summary":"The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2005-0087.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2005-0087.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2005-0087","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26624","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26825","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2005-0087"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0087","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0087"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1617449","reference_id":"1617449","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1617449"},{"reference_url":"https://access.redhat.com/errata/RHSA-2005:033","reference_id":"RHSA-2005:033","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2005:033"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23167?format=json","purl":"pkg:deb/debian/alsa-lib@1.0.9-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.0.9-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/23168?format=json","purl":"pkg:deb/debian/alsa-lib@1.2.4-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.2.4-1.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/23166?format=json","purl":"pkg:deb/debian/alsa-lib@1.2.8-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-u7jg-r9aj-43ht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.2.8-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/23171?format=json","purl":"pkg:deb/debian/alsa-lib@1.2.14-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-u7jg-r9aj-43ht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.2.14-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/23169?format=json","purl":"pkg:deb/debian/alsa-lib@1.2.15.3-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-u7jg-r9aj-43ht"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.2.15.3-1%3Fdistro=trixie"}],"aliases":["CVE-2005-0087"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3nz3-b8qd-rydp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65845?format=json","vulnerability_id":"VCID-u7jg-r9aj-43ht","summary":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25068.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25068.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25068","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00763","published_at":"2026-06-12T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00765","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25068"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25068","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25068"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126629","reference_id":"1126629","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126629"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435372","reference_id":"2435372","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435372"},{"reference_url":"https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40","reference_id":"5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T20:23:55Z/"}],"url":"https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40"},{"reference_url":"https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow","reference_id":"alsa-lib-topology-decoder-heap-based-buffer-overflow","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T20:23:55Z/"}],"url":"https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7401","reference_id":"RHSA-2026:7401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7401"},{"reference_url":"https://usn.ubuntu.com/8044-1/","reference_id":"USN-8044-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8044-1/"},{"reference_url":"https://usn.ubuntu.com/8044-2/","reference_id":"USN-8044-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8044-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23168?format=json","purl":"pkg:deb/debian/alsa-lib@1.2.4-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.2.4-1.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/23172?format=json","purl":"pkg:deb/debian/alsa-lib@1.2.4-1.1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.2.4-1.1%252Bdeb11u1%3Fdistro=trixie"}],"aliases":["CVE-2026-25068"],"risk_score":2.0,"exploitability":"0.5","weighted_severity":"4.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u7jg-r9aj-43ht"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/alsa-lib@1.2.4-1.1%3Fdistro=trixie"}