cbcvebase.
CVE-2016-5108
published 2016-06-08

CVE-2016-5108: Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.75%
97.6th percentile
Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianvlc< vlc 2.2.3-2 (bookworm)vlc 2.2.3-2 (bookworm)
videolanvlc_media_player<= 2.2.3
videolanvlc_media_player>= 0 < 2.2.3-22.2.3-2
videolanvlc_media_player>= 0 < 2.2.3-22.2.3-2
videolanvlc_media_player>= 0 < 2.2.3-22.2.3-2
videolanvlc_media_player>= 0 < 2.2.3-22.2.3-2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41025.mov
filename41025.mov
pathmodules/codec/adpcm.c
  • Monitor for VLC processing QuickTime IMA (.mov) files triggering an out-of-bounds write in DecodeAdpcmImaQT (adpcm.c:595); a crafted file with an excessive channel count relative to the allocated buffer is the attack vector.
  • Flag VLC media player instances running versions 2.2.1 through 2.2.3 (before 2.2.4) opening .mov / QuickTime IMA files, as these versions contain the vulnerable DecodeAdpcmImaQT code path.
  • Detect crashes or abnormal termination of VLC processes shortly after opening a .mov file, which may indicate exploitation of the DecodeAdpcmImaQT buffer overflow (DoS or potential RCE).
  • ·Exploitation difficulty is elevated due to input mangling; pure RCE exploitation is non-trivial but not ruled out.
  • ·The vulnerability is triggered specifically by the number of audio channels in the input stream exceeding the allocated buffer size; detection logic should account for this channel-count anomaly in QuickTime IMA files.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.