Denial of service in VideoLAN VLC Media Player

Published: 2018-12-07 22:58:45
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-19857
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software VLC Media Player
Vulnerable software versions VLC Media Player 3.0.4
Vendor URL VideoLAN Organization

Security Advisory

1) Improper input validation


The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of magic cookies in Core Audio Format (CAF) files, which could result in an uninitialized memory read in the CAF demuxer. A remote attacker can trick the victim into accessing a CAF file that submits malicious input, trigger typecast that converts a possibly negative return value to an unsigned integer in the ReadKukiChunk() function and cause the service to crash.


Install update from vendor's website.

External links

Back to List