CVE-2008-5406

Apple QuickTime Player 7.5.5-8.0.2.20 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-5406. PoCs published by laurent gaffié.

AI-analyzed exploit summary This exploit demonstrates an off-by-one overflow in QuickTime/iTunes when handling long arguments in a .mov file. It provides control over EAX and EDI registers but is limited by a small buffer size (41 bytes), making reliable code execution difficult.

Description

Stack-based buffer overflow in Apple QuickTime Player 7.5.5 and iTunes 8.0.2.20 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a MOV file with "long arguments," related to an "off by one overflow."

Exploits (1)

exploitdb WORKING POC VERIFIED
by laurent gaffié · textdoswindows
https://www.exploit-db.com/exploits/7296

This exploit demonstrates an off-by-one overflow in QuickTime/iTunes when handling long arguments in a .mov file. It provides control over EAX and EDI registers but is limited by a small buffer size (41 bytes), making reliable code execution difficult.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: iTunes 8.0.2.20 / QuickTime 7.5.5
No auth needed
Prerequisites: Victim must open a maliciously crafted .mov file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4704
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7296
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32540
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46984

Scores

EPSS 0.0973
EPSS Percentile 94.9%

Details

CWE
CWE-119
Status published
Products (2)
apple/itunes 8.0.2.20
apple/quicktime 7.5.5
Published Dec 10, 2008
Tracked Since Feb 18, 2026