openmpt CVE Vulnerabilities & Metrics

Focus on openmpt vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About openmpt Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with openmpt. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total openmpt CVEs: 11
Earliest CVE date: 17 Jul 2017, 13:18 UTC
Latest CVE date: 04 Oct 2019, 00:15 UTC

Latest CVE reference: CVE-2019-17113

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical openmpt CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.34

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	10
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS openmpt CVEs

These are the five CVEs with the highest CVSS scores for openmpt, sorted by severity first and recency.

CVE-2019-17113 openmpt Published on 04 Oct 2019, 00:15 UTC (CVSS: 7.5)
In libopenmpt before 0.3.19 and 0.4.x before 0.4.9, ModPlug_InstrumentName and ModPlug_SampleName in libopenmpt_modplug.c do not restrict the lengths of libmodplug output-buffer strings in the C API, leading to a buffer overflow.
CVE-2018-11710 openmpt Published on 04 Jun 2018, 13:29 UTC (CVSS: 6.8)
soundlib/pattern.h in libopenmpt before 0.3.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted AMS file because of an invalid write near address 0 in an out-of-memory situation.
CVE-2018-6611 openmpt Published on 04 Feb 2018, 12:29 UTC (CVSS: 6.8)
soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt before 0.3.6, has an out-of-bounds read via a malformed STP file.
CVE-2017-11311 openmpt Published on 17 Jul 2017, 13:18 UTC (CVSS: 6.8)
soundlib/Load_psm.cpp in OpenMPT through 1.26.12.00 and libopenmpt before 0.2.8461-beta26 has a heap buffer overflow with the potential for arbitrary code execution via a crafted PSM File that triggers use of the same sample slot for two samples.
CVE-2019-14381 openmpt Published on 30 Jul 2019, 13:15 UTC (CVSS: 5.0)
libopenmpt before 0.4.3 allows a crash due to a NULL pointer dereference when doing a portamento from an OPL instrument to an empty instrument note map slot.

All CVEs for openmpt

CVE-2019-17113 openmpt vulnerability CVSS: 7.5 04 Oct 2019, 00:15 UTC

In libopenmpt before 0.3.19 and 0.4.x before 0.4.9, ModPlug_InstrumentName and ModPlug_SampleName in libopenmpt_modplug.c do not restrict the lengths of libmodplug output-buffer strings in the C API, leading to a buffer overflow.

CVE-2019-14383 openmpt vulnerability CVSS: 4.3 30 Jul 2019, 19:15 UTC

J2B in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.

CVE-2019-14382 openmpt vulnerability CVSS: 4.3 30 Jul 2019, 19:15 UTC

DSM in libopenmpt before 0.4.2 allows an assertion failure during file parsing with debug STLs.

CVE-2019-14380 openmpt vulnerability CVSS: 4.3 30 Jul 2019, 19:15 UTC

libopenmpt before 0.4.5 allows a crash during playback due to an out-of-bounds read in XM and MT2 files.

CVE-2018-20861 openmpt vulnerability CVSS: 4.3 30 Jul 2019, 19:15 UTC

libopenmpt before 0.3.11 allows a crash with certain malformed custom tunings in MPTM files.

CVE-2018-20860 openmpt vulnerability CVSS: 4.3 30 Jul 2019, 19:15 UTC

libopenmpt before 0.3.13 allows a crash with malformed MED files.

CVE-2019-14381 openmpt vulnerability CVSS: 5.0 30 Jul 2019, 13:15 UTC

libopenmpt before 0.4.3 allows a crash due to a NULL pointer dereference when doing a portamento from an OPL instrument to an empty instrument note map slot.

CVE-2018-11710 openmpt vulnerability CVSS: 6.8 04 Jun 2018, 13:29 UTC

soundlib/pattern.h in libopenmpt before 0.3.9 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted AMS file because of an invalid write near address 0 in an out-of-memory situation.

CVE-2018-10017 openmpt vulnerability CVSS: 4.3 11 Apr 2018, 05:29 UTC

soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before 0.3.8 allows remote attackers to cause a denial of service (out-of-bounds read) via an IT or MO3 file with many nested pattern loops.

CVE-2018-6611 openmpt vulnerability CVSS: 6.8 04 Feb 2018, 12:29 UTC

soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt before 0.3.6, has an out-of-bounds read via a malformed STP file.

CVE-2017-11311 openmpt vulnerability CVSS: 6.8 17 Jul 2017, 13:18 UTC

soundlib/Load_psm.cpp in OpenMPT through 1.26.12.00 and libopenmpt before 0.2.8461-beta26 has a heap buffer overflow with the potential for arbitrary code execution via a crafted PSM File that triggers use of the same sample slot for two samples.