LiveActive security incident?Get immediate response
CVE Record

CVE-2020-18651: Buffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlie...

Buffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted audio file with ID3V2 frame.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2020-18651 is a denial-of-service risk in Exempi, a metadata parsing library. A specially crafted audio file with an ID3V2 frame can trigger a buffer overflow when the file is opened or processed. The source bundle does not show code execution, active exploitation, or a CVSS score.

Executive priority

Treat this as a moderate operational stability issue. Prioritize systems that automatically process outside audio files, because a crafted file could disrupt services. Current evidence supports denial of service, not confirmed data theft or active exploitation.

Technical view

The vulnerability is reported in ID3_Support::ID3v2Frame::getFrameValue in Exempi 2.5.0 and earlier. Processing a crafted audio file containing an ID3V2 frame may cause a buffer overflow and denial of service. Public sources include an upstream issue, an upstream commit, and a Debian LTS security update.

Likely exposure

Exposure is most likely where Exempi is installed and used to parse metadata from untrusted or user-supplied audio files. Desktop file indexers, media workflows, upload pipelines, and automated metadata extraction services may be relevant if they depend on Exempi 2.5.0 or earlier.

Exploitation context

The provided sources describe remote attackers causing denial of service through crafted audio files. CISA KEV status is false, and the bundle provides no cited evidence of active exploitation or public weaponization.

Researcher notes

Evidence is limited. The CVE record names Exempi 2.5.0 and earlier, getFrameValue, crafted ID3V2 audio input, and denial of service. The bundle does not include CVSS, CWE, proof of exploitation, or a complete downstream product inventory.

Mitigation direction

  • Update Exempi using the applicable vendor or distribution security update.
  • For Debian LTS systems, apply the referenced DLA 3585-1 update.
  • If packaging guidance is unclear, review the upstream commit and vendor advisories.
  • Limit processing of untrusted audio files until patched.
  • Run metadata parsing in isolated or restartable worker processes.

Validation and detection

  • Inventory systems and applications that include Exempi.
  • Confirm whether installed Exempi versions are 2.5.0 or earlier.
  • Identify workflows that parse untrusted audio or ID3V2 metadata.
  • Verify patched package status against vendor or distribution advisories.
  • Review crash telemetry around Exempi metadata parsing.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2020-18651 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.