Integer Underflow Vulnerability in VLC Media Player by VideoLAN
CVE-2014-9626

7.8HIGH

Key Information:

Vendor

Videolan
Status
Vlc Media Player
Vendor
CVE Published:
24 January 2020

What is CVE-2014-9626?

An integer underflow vulnerability exists in the MP4_ReadBox_String function within the VLC Media Player, specifically in the demux module. An attacker could exploit this vulnerability by providing a crafted MP4 file with a box size less than 7, which may lead to denial of service conditions. The potentially exploitable flaw could also result in other unspecified impacts, affecting the functionality and stability of the player, particularly prior to version 2.1.6. Users are advised to update their VLC Media Player to the latest version to mitigate risks.

References

http://openwall.com/lists/oss-security/2015/01/20/5
x_refsource_MISC
https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e...
x_refsource_MISC
https://www.videolan.org/security/sa1501.html
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.