cbcvebase.
CVE-2011-0522
published 2011-02-07

CVE-2011-0522: The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC…

PriorityP259medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
51.67%
98.8th percentile
The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianvlc< vlc 1.1.3-1squeeze2 (bookworm)vlc 1.1.3-1squeeze2 (bookworm)
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player>= 0 < 1.1.3-1squeeze21.1.3-1squeeze2
videolanvlc_media_player>= 0 < 1.1.3-1squeeze21.1.3-1squeeze2
videolanvlc_media_player>= 0 < 1.1.3-1squeeze21.1.3-1squeeze2
videolanvlc_media_player>= 0 < 1.1.3-1squeeze21.1.3-1squeeze2

Detection & IOCsextracted from sources · hover to see the quote

pathmodules/codec/subtitles/subsdec.c
pathmodules/codec/subtitles/subsusf.c
  • Trigger is a subtitle tag with an opening tag lacking a closing '>' character (e.g. '<foo\0') embedded in an MKV file's subtitle track — hunt for MKV files whose embedded subtitle streams contain malformed/unclosed HTML-like tags.
  • Exploitation requires the victim to open a crafted MKV file with VLC; delivery vector is a malicious media file, so monitor for VLC processes spawned against untrusted/network-sourced MKV files.
  • Vulnerable code paths are the StripTags() function in both the USF subtitle decoder (subsdec.c) and the Text/USF decoder (subsusf.c); crash/exploitation manifests as heap memory corruption in those modules.
  • The PoC patches byte offset 877862 of the MKV file with the null-terminated string '<foo\0crashme'; use this byte-offset pattern or the null byte immediately after an unclosed tag as a file-scanning signature.
  • ·Vulnerability only affects VLC Media Player 1.1.x before 1.1.6-rc; versions at or above 1.1.6-rc are not vulnerable.
  • ·Both the USF subtitle decoder and the Text subtitle decoder share the vulnerable StripTags() code path, so either subtitle format in an MKV can trigger the bug.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.