CVE-2010-10016
published 2025-08-30CVE-2010-10016: BS.Player version 2.57 (build 1051) contains a vulnerability in its playlist import functionality. When processing .m3u files, the application fails to…
PriorityP264critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.70%
48.4th percentile
BS.Player version 2.57 (build 1051) contains a vulnerability in its playlist import functionality. When processing .m3u files, the application fails to properly validate the length of playlist entries, resulting in a buffer overflow condition. This flaw occurs during parsing of long URLs embedded in the playlist, allowing overwrite of Structured Exception Handler (SEH) records. The vulnerability is triggered upon opening a crafted playlist file and affects the Unicode parsing logic in the Windows client.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bs.player | bs.player_free_and_pro_editions | <= 2.57 (build 1051) | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect opening of crafted .m3u playlist files in BS.Player 2.57 (build 1051); look for abnormally long URL entries within .m3u files that may trigger a SEH overwrite. ↗
- →Monitor for exploitation of Unicode SEH overwrite patterns in BS.Player's playlist import code path, specifically triggered by the Unicode parsing logic. ↗
- →Flag use of the Metasploit module 'exploits/windows/fileformat/bsplayer_m3u' as an indicator of targeted exploitation attempts against CVE-2010-10016. ↗
- ·Exploitation is file-format based (client-side); the vulnerability is only triggered when the victim actively opens a crafted .m3u file using BS.Player 2.57 (build 1051). ↗
- ·The overflow specifically targets SEH (Structured Exception Handler) records via Unicode parsing, meaning standard stack-based overflow detection may not fire; SEH-chain inspection is required. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
http://www.bsplayer.com/https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/bsplayer_m3u.rbhttps://www.exploit-db.com/exploits/15934https://www.exploit-db.com/exploits/18375https://www.vulncheck.com/advisories/bs-player-buffer-overflow-via-m3u-playlist-import
2025-08-30
Published