Platform
c
Component
theora
Fixed in
1.10.0
2.5.4
A denial-of-service (DoS) vulnerability has been identified in libtheora, a library for encoding and decoding video streams. This flaw stems from a heap-based out-of-bounds read within the AVI (Audio Video Interleave) parser's aviparseinput_file() function. Exploitation involves a local attacker tricking a user into opening a specially crafted AVI file, potentially causing application crashes or information disclosure. The vulnerability affects versions 1.0.0 through 2.5.3 and is resolved in version 2.5.4.
The primary impact of CVE-2026-5673 is a denial-of-service condition. A successful exploit can cause the application utilizing libtheora to crash, disrupting service. While the description mentions potential information leakage from the heap, the immediate and most likely consequence is application instability. Attackers could leverage this vulnerability to target applications that process AVI files using libtheora, potentially leading to widespread disruption. The ease of crafting a malicious AVI file, combined with the prevalence of AVI files, could make this vulnerability attractive to attackers seeking to cause disruption.
This vulnerability was publicly disclosed on 2026-04-06. There is currently no indication of active exploitation campaigns targeting CVE-2026-5673. No public proof-of-concept (PoC) code has been released at the time of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to upgrade to libtheora version 2.5.4 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on AVI files before processing them. Specifically, validate the header sub-chunk size to prevent the out-of-bounds read. While a WAF or proxy is unlikely to directly mitigate this vulnerability, they could be configured to block suspicious AVI files based on known malicious patterns. After upgrading, confirm the fix by attempting to process a known malicious AVI file (if available) and verifying that the application does not crash.
Update the libtheora library to version 2.5.4 or higher to mitigate the vulnerability. Ensure you apply the security updates provided by your Linux distribution vendor (Red Hat in this case) to obtain the patched version. Avoid processing AVI files from untrusted sources until the update is applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5673 is a denial-of-service vulnerability in libtheora's AVI parser, allowing a crafted file to crash the application.
You are affected if you use libtheora versions 1.0.0 through 2.5.3 and process AVI files.
Upgrade to libtheora version 2.5.4 or later. Input validation on AVI files is a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-5673.
Refer to the relevant security advisory from the libtheora project or the distribution you are using.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.