cbcvebase.
CVE-2010-10016
published 2025-08-30

CVE-2010-10016: BS.Player version 2.57 (build 1051) contains a vulnerability in its playlist import functionality. When processing .m3u files, the application fails to…

PriorityP264critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.70%
48.4th percentile
BS.Player version 2.57 (build 1051) contains a vulnerability in its playlist import functionality. When processing .m3u files, the application fails to properly validate the length of playlist entries, resulting in a buffer overflow condition. This flaw occurs during parsing of long URLs embedded in the playlist, allowing overwrite of Structured Exception Handler (SEH) records. The vulnerability is triggered upon opening a crafted playlist file and affects the Unicode parsing logic in the Windows client.

Affected

1 ranges
VendorProductVersion rangeFixed in
bs.playerbs.player_free_and_pro_editions<= 2.57 (build 1051)

Detection & IOCsextracted from sources · hover to see the quote

filename.m3u
versionBS.Player 2.57 build 1051
  • Detect opening of crafted .m3u playlist files in BS.Player 2.57 (build 1051); look for abnormally long URL entries within .m3u files that may trigger a SEH overwrite.
  • Monitor for exploitation of Unicode SEH overwrite patterns in BS.Player's playlist import code path, specifically triggered by the Unicode parsing logic.
  • Flag use of the Metasploit module 'exploits/windows/fileformat/bsplayer_m3u' as an indicator of targeted exploitation attempts against CVE-2010-10016.
  • ·Exploitation is file-format based (client-side); the vulnerability is only triggered when the victim actively opens a crafted .m3u file using BS.Player 2.57 (build 1051).
  • ·The overflow specifically targets SEH (Structured Exception Handler) records via Unicode parsing, meaning standard stack-based overflow detection may not fire; SEH-chain inspection is required.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.