CVE-2011-0531
HIGH severity · CVSS 9.3 · Improper input validation
9.3CVSS HIGH
Summary
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
Impact & exploitability
Attack vectorNetwork
Attack complexity—
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)42%
AV:N/AC:M/Au:N/C:C/I:C/A:C
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: http://www.openwall.com/lists/oss-security/2011/01/31/4 ↗
Additional information
- NVD record
- http://www.openwall.com/lists/oss-security/2011/01/31/4Patch
- http://www.openwall.com/lists/oss-security/2011/01/31/8Patch
- http://secunia.com/advisories/43131Advisory
- http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=59491dcedffbf97612d2c572943b56ee4289dd07
- http://osvdb.org/70698
- http://secunia.com/advisories/43242
- http://www.debian.org/security/2011/dsa-2159
- http://www.securityfocus.com/bid/46060