June 29, 2022

The audio decoders in Qualcomm and MediaTek chips have been reported to include three safety vulnerabilities. 

Leaving unpatched three of those safety holes may present the menace actors with distant entry to the media and audio conversations from affected cellular gadgets in the event that they aren’t patched.

The safety analysts at Examine Level asserted that by sending a specifically crafted audio file, an attacker may acquire distant code execution (RCE) entry.


On this case, the vulnerability was found in ALAC (Apple Lossless Audio Codec), a lossless audio format launched by Apple in 2004.

It has been greater than a decade since ALAC has been utilized in many gadgets and packages aside from these from Apple. These days ALAC is utilized in a number of gadgets like:-

  • Android-based smartphones
  • Linux media gamers and converters
  • Home windows media gamers and converters

Flaws Detected

MediaTek and Qualcomm each acquired their ALAC flaws mounted in December 2021, and at the moment are listed and tracked as:-

  • CVE ID: CVE-2021-0674
  • Abstract: A case of improper enter validation in ALAC decoder resulting in data disclosure with none consumer interplay.
  • Severity: Medium
  • CVSS Rating: 5.5 rating
  • CVE ID: CVE-2021-0675
  • Abstract: A neighborhood privilege escalation flaw in ALAC decoder stemming from out-of-bounds write.
  • Severity: Excessive
  • CVSS Rating: 7.8 rating
  • CVE ID: CVE-2021-30351
  • Abstract: An out-of-bounds reminiscence entry as a result of improper validation of a lot of frames being handed throughout music playback.
  • Severity: Crucial
  • CVSS Rating: 9.8 rating

Every time an assault is carried out remotely, there are extreme penalties that end result:-

  • Information breach
  • Deploying malware
  • Executing malware
  • Modifying gadget settings
  • Accessing microphone
  • Accessing digital camera
  • Take over account
See also  15-12 months-old Safety Vulnerability In The PEAR PHP Repository Permits Provide Chain Assault

Potential Risk

By means of the vulnerabilities present in ALAC, the cybersecurity analysts consider an attacker may use a specifically crafted malicious audio file to aim a distant code execution assault (RCE) on a cellular gadget.

An RCE assault permits an attacker to remotely execute malicious code on a pc by conducting a distant code execution assault at this stage. 

In a turn-key situation, the information might be disclosed and entry to privileges might be elevated for a time interval with out a human interplay being required.


The cybersecurity specialists at CheckPoint safety agency have really useful some mitigations and right here they’re:-

  • Be certain that your gadget is updated.
  • All the time use a strong safety answer or AV app.
  • All the time use advanced passwords.
  • Be sure to allow multi-factor authentication.
  • Don’t use any used or dumped passwords.
  • Putting in a third-party Android distribution, in case your gadget doesn’t obtain safety updates.
  • Don’t open any audio recordsdata from unknown or suspicious sources/customers.

You may comply with us on Linkedin, TwitterFb for every day Cybersecurity and hacking information updates.