CVE-2017-8311

HIGH

VideoLAN VLC < 2.2.5 - Heap-Based Buffer Overflow via Crafted Subtitles File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-8311. PoCs published by SivertPL.

AI-analyzed exploit summary This PoC exploits a memory corruption vulnerability in VLC/Kodi/PopcornTime's JacoSUB subtitle parsing. It generates a malicious .jss subtitle file that triggers a heap overflow, leading to a crash and potential RCE.

Description

Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.

Exploits (1)

exploitdb WORKING POC
by SivertPL · pythondoswindows
https://www.exploit-db.com/exploits/44514

This PoC exploits a memory corruption vulnerability in VLC/Kodi/PopcornTime's JacoSUB subtitle parsing. It generates a malicious .jss subtitle file that triggers a heap overflow, leading to a crash and potential RCE.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: VLC Media Player/Kodi/PopcornTime < 2.2.5
No auth needed
Prerequisites: Target must load the malicious subtitle file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201707-10
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44514/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98634
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3899

Scores

CVSS v3 7.8
EPSS 0.0877
EPSS Percentile 94.5%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-119
Status published
Products (2)
VideoLAN/VLC <2.2.5
videolan/vlc_media_player < 2.2.4
Published May 23, 2017
Tracked Since Feb 18, 2026