#VU19982 Integer underflow in VLC Media Player - CVE-2019-5459

Cybersecurity Help s.r.o.

Published: 2019-08-08

Vulnerability identifier: #VU19982

Vulnerability risk: Low

CVSSv4.0: 0.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-5459

CWE-ID: CWE-191

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
VLC Media Player
Client/Desktop applications / Multimedia software

Vendor: VideoLAN

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to integer underflow when processing FAAD2 media files. A remote attacker can create a specially crafted media file, trick the victim to open it, trigger integer underflow and crash the affected application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

VLC Media Player: 3.0.0 - 3.0.6

External links
https://hackerone.com/reports/502816
https://hackerone.com/reports/507858
https://github.com/videolan/vlc/commit/16d40d9f8a57b6bdd01b8ee0ecf5147547d5953c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

OpenSUSE Linux update for vlc

Multiple vulnerabilities in VLC Media Player