Heap-Based Buffer Over-Read in VideoLAN VLC Media Player
CVE-2019-14776

7.8HIGH

Key Information:

Vendor

Videolan
Status
Vlc Media Player
Vendor
CVE Published:
29 August 2019

What is CVE-2019-14776?

A heap-based buffer over-read vulnerability in the DemuxInit() function of VideoLAN's VLC media player can be exploited by a specially crafted .mkv file. When a user opens such a malformed file, it could lead to unexpected behavior, potentially exposing sensitive data or allowing for execution of arbitrary code. This vulnerability highlights the need for timely updates and vigilance in media file management to safeguard against potential exploits.

References

http://git.videolan.org/?p=vlc.git&a=search&h=refs/heads/...
x_refsource_CONFIRM
https://www.debian.org/security/2019/dsa-4504
vendor-advisoryx_refsource_DEBIAN
https://seclists.org/bugtraq/2019/Aug/36
mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.