CVE-2010-0480

EXPLOITED

Microsoft Windows MPEG Layer-3 Audio Codecs - Remote Code Execution via Crafted AVI File

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2010-0480 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, Abysssec, Yamata Li, including a Metasploit module exploits/windows/browser/ms10_026_avi_nsamplespersec.

AI-analyzed exploit summary This Metasploit module exploits a stack-based buffer overflow in l3codecx.ax via a maliciously crafted AVI file with MPEG Layer-3 audio content. It leverages the .NET DLL memory technique to achieve remote code execution on vulnerable Windows systems.

Description

Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/17659

This Metasploit module exploits a stack-based buffer overflow in l3codecx.ax via a maliciously crafted AVI file with MPEG Layer-3 audio content. It leverages the .NET DLL memory technique to achieve remote code execution on vulnerable Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft Windows Media Player (l3codecx.ax) on Windows XP SP3
No auth needed
Prerequisites: Vulnerable version of l3codecx.ax · Target must visit a malicious URL or open a crafted AVI file · .NET CLR installed on target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Abysssec · pythondoswindows
https://www.exploit-db.com/exploits/15096

This exploit generates a malformed AVI file by modifying the 'nSamplesPerSec' field to trigger a division-by-zero vulnerability in Microsoft MPEG Layer-3 Audio Decoder (l3codeca.acm). The PoC creates a proof-of-concept file ('poc.avi') that can cause a denial-of-service when processed by the vulnerable decoder.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft MPEG Layer-3 Audio Decoder (l3codeca.acm) 1.9.0.306
No auth needed
Prerequisites: A source AVI file ('src.avi') to modify
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Abysssec · pythonremotewindows
https://www.exploit-db.com/exploits/14895

This exploit targets a stack-based buffer overflow in Microsoft MPEG Layer-3 audio codec (l3codeca.acm) via a crafted HTML file embedding a malicious DLL. The shellcode executes arbitrary commands, demonstrating remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft MPEG Layer-3 Audio Codec (l3codeca.acm) on Windows XP SP2/SP3
No auth needed
Prerequisites: Victim must open the malicious HTML file in a vulnerable system · Target system must have the vulnerable codec installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Yamata Li · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb

This Metasploit module exploits a stack-based buffer overflow in l3codecx.ax via a maliciously crafted AVI file with MPEG Layer-3 audio content. It leverages the .NET DLL memory technique to achieve remote code execution by overwriting the least significant bytes of EIP with zeros.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows Media Player (l3codecx.ax) on Windows XP SP3
No auth needed
Prerequisites: Target must visit a malicious URL hosting the exploit · Requires .NET CLR on the target system · For IE 8, the malicious URL must be a trusted site
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8336
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7441
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA10-103A.html

Scores

EPSS 0.8349
EPSS Percentile 99.3%

Details

VulnCheck KEV 2012-10-18
CWE
CWE-119
Status published
Products (6)
microsoft/windows_2000
microsoft/windows_2003_server (2 CPE variants)
microsoft/windows_server_2003
microsoft/windows_server_2008 (6 CPE variants)
microsoft/windows_vista (6 CPE variants)
microsoft/windows_xp (3 CPE variants)
Published Apr 14, 2010
Tracked Since Feb 18, 2026