CVE-2013-3245

Name of the Vulnerable Software and Affected Versions VideoLAN VLC Media Player version 2.0.7

Description The issue allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MKV file. This could involve an integer overflow, out-of-bounds read, or heap-based buffer overflow, as well as an uncaught exception. However, the vendor disputes the severity and claimed vulnerability type, stating that the issue is not an integer overflow error but an uncaught exception, and they doubt its exploitability. A proof of concept shows signs of an attacker-controlled out-of-bounds read, but the affected instruction does not directly influence control flow.

Recommendations For version 2.0.7, consider disabling the libmkv plugin.dll to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using crafted MKV files with VideoLAN VLC Media Player. At the moment, there is no information about a newer version that contains a fix for this vulnerability.