Use-after-free error in MKVToolNix - CVE-2018-4022
Published: October 29, 2018
Vulnerability identifier: #VU15553
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-4022
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: MKVToolNix
Affected software:
MKVToolNix
MKVToolNix
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to execute arbitrary code with elevated privileges.
The weakness exists in the MKVToolNix mkvinfo tool due to use-after-free error when handling of the MKV (Matroska video) file format.
While reading a new element, the mkvinfo parser attempts to validate the current element by checking if it has a particular valid value. If there is no such value, the parser deletes the element since the read was invalid. However, even if the element is deleted, the value is passed back to the calling function via a variable, but there is no validation, even if this element is valid and was not freed before. A remote attacker can trick the victim into opening a specially crafted file .mkv file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in the MKVToolNix mkvinfo tool due to use-after-free error when handling of the MKV (Matroska video) file format.
While reading a new element, the mkvinfo parser attempts to validate the current element by checking if it has a particular valid value. If there is no such value, the parser deletes the element since the read was invalid. However, even if the element is deleted, the value is passed back to the calling function via a variable, but there is no validation, even if this element is valid and was not freed before. A remote attacker can trick the victim into opening a specially crafted file .mkv file, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2018-4022
Update to version 28.2.0.