CVE-2021-25801

HIGH

VLC Media Player 3.0.11 - Out-of-bounds Read in __Parse_indx

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-25801. PoCs published by DShankle.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2021-25801, a vulnerability in VLC media player stemming from insufficient validation of chunk types in the AVI demuxer, leading to an out-of-bounds read. The analysis includes code snippets, root cause explanation, and a proof-of-concept scenario using a crafted 'strh' chunk.

Description

A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

Exploits (1)

nomisec WRITEUP

by DShankle · poc

https://github.com/DShankle/VLC_CVE-2021-25801_Analysis

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2021-25801, a vulnerability in VLC media player stemming from insufficient validation of chunk types in the AVI demuxer, leading to an out-of-bounds read. The analysis includes code snippets, root cause explanation, and a proof-of-concept scenario using a crafted 'strh' chunk.

Classification

Writeup 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: VLC media player 3.0.11

No auth needed

Prerequisites: Crafted AVI file with malformed 'indx' chunk structure

MITRE ATT&CK

T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://code.videolan.org/videolan/vlc-3.0/-/commit/f5f8cc3ab8825f178de3f6714bfbff8b3f293fd2

Scores

CVSS v3 7.1

EPSS 0.0152

EPSS Percentile 71.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Details

CWE

CWE-125

Status published

Products (1)

videolan/vlc_media_player 3.0.11

Published Jul 26, 2021

Tracked Since Feb 18, 2026