CVE-2019-19721

HIGH

VLC media player <3.0.9 - Memory Corruption

Title source: llm

Description

An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product.

References (4)

[Vendor Advisory] https://www.videolan.org/security/

[Release Notes, Third Party Advisory] http://hg.libsdl.org/SDL_image/

[Exploit, Patch, Third Party Advisory] https://bugs.gentoo.org/721940

[Patch] https://git.videolan.org/?p=vlc/vlc-3.0.git%3Ba=commit%3Bh=72afe7ebd8305bf4f5360293b8621cde52ec506b

Scores

CVSS v3 7.8

EPSS 0.0130

EPSS Percentile 79.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-193 CWE-787

Status published

Products (1)

videolan/vlc_media_player < 3.0.9

Published May 15, 2020

Tracked Since Feb 18, 2026