Heap-Based Buffer Overflow Vulnerability in VideoLAN VLC Media Player
CVE-2020-13428

7.8HIGH

Key Information:

Vendor
Videolan
Status
Vlc Media Player
Vendor
CVE Published:
8 June 2020

Summary

A vulnerability exists in the hxxx_AnnexB_to_xVC function located within the modules/packetizer/hxxx_nal.c file of VideoLAN's VLC media player, specifically affecting versions prior to 3.0.11 on macOS and iOS platforms. This vulnerability can be exploited by remote attackers through specially crafted H.264 Annex-B video files, such as those with an .avi extension. Successful exploitation may lead to application crashes or could potentially allow attackers to execute arbitrary code on the affected systems.

References

https://github.com/videolan/vlc/commits/master/modules/pa...
x_refsource_MISC
http://git.videolan.org/?p=vlc/vlc-3.0.git%3Ba=commit%3Bh...
x_refsource_MISC
https://github.com/videolan/vlc-3.0/releases/tag/3.0.11
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.