CVE-2020-13428

HIGH

VideoLAN VLC media player <3.0.11 - Buffer Overflow

Title source: llm
STIX 2.1

Description

A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.

References (5)

Core 5
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/videolan/vlc-3.0/releases/tag/3.0.11
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4704
Vendor Advisory x_refsource_confirm
https://www.videolan.org/security/sb-vlc3011.html

Scores

CVSS v3 7.8
EPSS 0.0239
EPSS Percentile 82.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (3)
debian/debian_linux 9.0
debian/debian_linux 10.0
videolan/vlc_media_player < 3.0.11 (2 CPE variants)
Published Jun 08, 2020
Tracked Since Feb 18, 2026