Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-8310

Published: 23 May 2017

Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process (causing a denial of service) via a crafted subtitles file.

Priority

Medium

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
vlc
Launchpad, Ubuntu, Debian
precise Does not exist

trusty
Released (2.1.6-0ubuntu14.04.3)
upstream Needs triage

xenial
Released (2.2.2-5ubuntu0.16.04.3)
yakkety Ignored
(reached end-of-life)
zesty
Released (2.2.4-14ubuntu2.1)
Patches:
upstream: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H