{"id":"CVE-2018-14681","details":"An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.","modified":"2026-04-16T06:17:00.208656954Z","published":"2018-07-28T23:29:00.343Z","related":["SUSE-SU-2018:3250-1","SUSE-SU-2018:3436-1","SUSE-SU-2018:3436-2","SUSE-SU-2018:3441-1","SUSE-SU-2021:2765-1","SUSE-SU-2021:2802-1","openSUSE-SU-2021:1200-1","openSUSE-SU-2021:2802-1","openSUSE-SU-2024:10958-1"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2018/07/26/1"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041410"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201903-20"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3728-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3789-2/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4260"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3327"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3505"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00007.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3728-2/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3728-3/"},{"type":"FIX","url":"https://bugs.debian.org/904799"},{"type":"FIX","url":"https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kyz/libmspack","events":[{"introduced":"0"},{"last_affected":"25be5e56c1f140dfed754073c7dc374fd4d3010a"},{"introduced":"0"},{"last_affected":"a22627dd5180e0ce9c558d0c10b174c760085f57"},{"introduced":"0"},{"last_affected":"164fb2d23a0894b726b72a047d34191d64a18104"},{"introduced":"0"},{"last_affected":"03296dd44347ab3111ba23b8e3945e2b537b6275"},{"introduced":"0"},{"last_affected":"a2b36d2f477a183c046b66c731936fa56eba53b4"},{"introduced":"0"},{"last_affected":"1668a2a82aac259c9bbc6356648b79411fa7db0d"},{"fixed":"0b0ef9344255ff5acfac6b7af09198ac9c9756c8"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.0.20060920-alpha"},{"introduced":"0"},{"last_affected":"0.3-alpha"},{"introduced":"0"},{"last_affected":"0.4-alpha"},{"introduced":"0"},{"last_affected":"0.5-alpha"},{"introduced":"0"},{"last_affected":"0.6-alpha"},{"introduced":"0"},{"last_affected":"1.5"}]}}],"versions":["v0.0.20060920alpha","v0.3alpha","v0.4alpha","v0.5alpha","v0.6alpha","v1.0","v1.1","v1.2","v1.3","v1.4","v1.5"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]}],"vanir_signatures":[{"id":"CVE-2018-14681-ebb257ff","signature_type":"Line","target":{"file":"libmspack/mspack/kwajd.c"},"source":"https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8","signature_version":"v1","digest":{"line_hashes":["264125639601368245136278382040962299940","334718959738228674956836817475169085946","129263725176395171497904630117284598573","136055985965663008756139860224137290491","146921429704295347375559488414009961315","144048888467957435751834250567563075182","111846584464331271926986855392744924426","203836619199442944830654375939473252323","81676947660109281998418610702684930460","298075990359636591353990776340018337053","291184430367398170553833683326145169146","265994721061227409424378697157226067255","282128057683887539700009755939422265141","145568330504166830716940528839867775308","47732878296738844481897533567175310364","296738990979170437360220607543689989228","310121185771599670866381063311104525529","274428706265141814401783177908660083895","71631741594013791888316882536923655880","126237243167368149135907565162241690162","134367768589457487684380498779829148207"],"threshold":0.9},"deprecated":false},{"id":"CVE-2018-14681-f0630062","digest":{"length":2697,"function_hash":"9188850034302970685971634658391947089"},"target":{"function":"kwajd_read_headers","file":"libmspack/mspack/kwajd.c"},"source":"https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8","signature_version":"v1","deprecated":false,"signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T12:27:35Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14681.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}