CVE-2018-11529
Published: 11 July 2018
VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
From the Ubuntu Security Team
It was discovered that VLC mishandled certain crafted MKV files. An attacker could use this vulnerability to cause a denial of service (crash) or possibly execute arbitrary code.
Priority
Status
Package | Release | Status |
---|---|---|
vlc Launchpad, Ubuntu, Debian |
hirsute |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
artful |
Ignored
(end of life)
|
|
bionic |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
cosmic |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
disco |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
eoan |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
focal |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
groovy |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
impish |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
jammy |
Not vulnerable
(3.0.3-1-1ubuntu1)
|
|
trusty |
Released
(2.1.6-0ubuntu14.04.5+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(3.0.3-1-1)
|
|
xenial |
Released
(2.2.2-5ubuntu0.16.04.5+esm1)
Available with Ubuntu Pro |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.0 |
Attack vector | Adjacent |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |