CVE-2014-9628

Name of the Vulnerable Software and Affected Versions VideoLAN VLC media player versions prior to 2.1.6

Description The issue is related to errors in checking the length of string containers in the MP4 demultiplexer of the VideoLAN VLC media player. Exploitation of this issue may allow a remote attacker to execute arbitrary code or cause a denial of service via a specially crafted .MP4 file. The MP4 ReadBox String function is specifically vulnerable, allowing remote attackers to trigger an unintended zero-size malloc and conduct buffer overflow attacks.

Recommendations For versions prior to 2.1.6, update to version 2.1.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of .MP4 files from untrusted sources until the update is applied.