CVE-2017-17670 — Use After Free in VLC Media Player

CWE-416 — Use After Free5 documents5 sources

Severity

8.8HIGHNVD

EPSS

1.3%

top 20.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Videolan VLC Media Player Debian Linux

Timeline

PublishedDec 15

Latest updateMay 14

Description

In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶Debianvideolan/vlc_media_player< 3.0.0~rc2-1+3

▶NVDvideolan/vlc_media_player2.2.8

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

GHSA-6p8x-v4m8-8pvg: In VideoLAN VLC media player through 2↗2022-05-14

▶

OSV

CVE-2017-17670: In VideoLAN VLC media player through 2↗2017-12-15

▶

CVEList

CVE-2017-17670: In VideoLAN VLC media player through 2↗2017-12-15

▶

📋Vendor Advisories

Debian

CVE-2017-17670: vlc - In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerabi...↗2017

▶