Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-8311 — Improper Restriction of Operations within the Bounds of a Memory Buffer in VLC Media Player

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer6 documents6 sources

Severity

7.8HIGHNVD

EPSS

7.1%

top 8.48%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Videolan VLC Media Player Videolan VLC

Timeline

PublishedMay 23

Latest updateMay 14

Description

Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶Debianvideolan/vlc_media_player< 2.2.5-1+3

▶NVDvideolan/vlc_media_player2.2.4

▶CVEListV5videolan/vlc<2.2.5

🔴Vulnerability Details

GHSA

GHSA-h3gx-7f25-5jxg: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2↗2022-05-14

▶

OSV

CVE-2017-8311: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2↗2017-05-23

▶

CVEList

CVE-2017-8311: Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2↗2017-05-23

▶

💥Exploits & PoCs

Exploit-DB

VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 - Memory Corruption (PoC)↗2018-04-24

▶

📋Vendor Advisories

Debian

CVE-2017-8311: vlc - Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 du...↗2017

▶