PT-2019-4898 · Videolan+3 · Vlc Media Player+3

Antonio Morales

·

Published

2019-04-29

·

Updated

2024-06-15

·

CVE-2019-14437

CVSS v2.0

9.3

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions VideoLAN VLC media player version 3.0.7.1
Description The issue is related to the xiph SplitHeaders function in the VideoLAN VLC media player, which is associated with the use of memory after it has been freed. This can be exploited by a remote attacker using a specially crafted .ogg file, potentially affecting the confidentiality, integrity, and availability of protected information. The function does not properly check array bounds, resulting in a heap-based buffer over-read.
Recommendations For version 3.0.7.1, consider disabling the xiph SplitHeaders function as a temporary workaround until a patch is available. Restrict access to the vulnerable module modules/demux/xiph.h to minimize the risk of exploitation. Avoid using specially crafted .ogg files with the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Use After Free

Improper Validation of Array Index

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416CWE-129CWE-125

Related Identifiers

ALT-PU-2019-2483
BDU:2020-01492
CVE-2019-14437
DSA-4504-1
MGASA-2019-0233
OPENSUSE-SU-2020:0545-1
OPENSUSE-SU-2020:0562-1
OPENSUSE-SU-2020_0545-1
OPENSUSE-SU-2024:11502-1
USN-4131-1

Affected Products

Alt Linux
Suse
Ubuntu
Vlc Media Player