cbcvebase.
CVE-2011-0531
published 2011-02-07

CVE-2011-0531: demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.58%
98.5th percentile
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.

Affected

74 ranges· showing 25
VendorProductVersion rangeFixed in
debianvlc< vlc 1.1.7-1 (bookworm)vlc 1.1.7-1 (bookworm)
videolanvlc_media_player<= 1.1.6.1
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.webm
urlhttp://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456
bytes
\x1A\x45\xDF\xA3
  • Flag VLC processes loading libtaglib_plugin.dll at base address 0x6cd00000 on Windows XP SP3 — the exploit hardcodes this base for ROP gadget resolution.
  • The exploit targets VLC 1.1.6 on Windows XP SP3 specifically; alert on VLC versions <= 1.1.6.1 opening .mkv or .webm files, as the vulnerability is in demux/mkv/mkv.hpp via the MKV_IS_ID macro causing class mismatching memory corruption.
  • The ROP chain uses a xchg esi,esp gadget (\x87\xe6) to pivot the stack — scanning for this byte sequence within heap-sprayed memory regions in VLC's process space is a strong exploit indicator.
  • ·The ROP gadget addresses and heap-spray target are hardcoded for VLC 1.1.6 on Windows XP SP3 only; the exploit will not work as-is against other OS versions or VLC builds due to different module base addresses.
  • ·As of July 1st, 2010, VLC enables SetProcessDEPPolicy to permanently enable NX/DEP support on capable machines, which mitigates straightforward shellcode injection and forces attackers to rely on ROP chains.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.