#VU19245 Integer underflow in VLC Media Player - CVE-2019-13602

Cybersecurity Help s.r.o.

Published: 2019-07-18 | Updated: 2019-07-18

Vulnerability identifier: #VU19245

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-13602

CWE-ID: CWE-191

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
VLC Media Player
Client/Desktop applications / Multimedia software

Vendor: VideoLAN

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attacks on the target system.

The vulnerability exists due to a boundary error in the "MP4_EIA608_Convert()" function in the "modules/demux/mp4/mp4.c" file. A remote attacker can trick the victim to open a specially crafted .mp4 file, trigger integer underflow and crash the affected application.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

VLC Media Player: 1.0.0 - 3.0.7.1

External links
https://git.videolan.org/?p=vlc.git;a=commit;h=8e8e0d72447f8378244f5b4a3dcde036dbeb1491
https://git.videolan.org/?p=vlc.git;a=commit;h=b2b157076d9e94df34502dd8df0787deb940e938

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for vlc

Gentoo update for VLC

OpenSUSE Linux update for vlc

Integer underflow in vlc (Alpine package)