#VU35651 Resource management error in Libav - CVE-2019-14442

Cybersecurity Help s.r.o.

Published: 2019-07-30 | Updated: 2020-08-08

Vulnerability identifier: #VU35651

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-14442

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libav
Client/Desktop applications / Multimedia software

Vendor: Libav

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In mpc8_read_header in libavformat/mpc8.c in Libav 12.3, an input file can result in an avio_seek infinite loop and hang, with 100% CPU consumption. Attackers could leverage this vulnerability to cause a denial of service via a crafted file.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Libav: 12.3

External links
https://bugzilla.libav.org/show_bug.cgi?id=1159
https://lists.debian.org/debian-lts-announce/2019/09/msg00000.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Libav