Skip to main content

MediaInfoLib EUVDEUVD-2026-31807

| CVE-2026-25713 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-26 talos GHSA-5xvx-vqhq-2pqv
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 10:19 vuln.today

DescriptionCVE.org

MediaArea MediaInfoLib ID3v2 parsing heap buffer overflow vulnerability

AnalysisAI

Heap buffer overflow in MediaArea MediaInfoLib's ID3v2 metadata parser allows local attackers to achieve arbitrary code execution when a victim opens a crafted media file. The flaw affects MediaInfoLib 26.01 and requires user interaction to trigger, with no public exploit identified at time of analysis. While CVSS rates it 7.8 (High), the very low EPSS score (0.01%) and SSVC 'Exploitation: none' signal suggest no widespread targeting is occurring.

Technical ContextAI

MediaInfoLib is a widely embedded open-source C++ library by MediaArea that extracts technical and tag metadata from audio and video container formats; it is used by the MediaInfo GUI/CLI and integrated into countless third-party media tools, transcoders, and asset-management systems. The vulnerable code path lies in the parser for ID3v2 tags - the metadata frame format embedded in MP3 and other audio files - where malformed frame headers or oversized fields cause out-of-bounds writes on the heap (CWE-122: Heap-based Buffer Overflow). Affected component per CPE is cpe:2.3:a:mediaarea:mediainfolib with version 26.01 confirmed by EUVD. Heap corruption in a parsing library of this kind is a classic vector for memory-corruption exploitation, and the 'total' technical impact in SSVC reflects that a successful overwrite can pivot to code execution within the host process.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - monitor the Talos advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2368 and the MediaArea project for a release succeeding 26.01 and upgrade as soon as it ships. Until a fix is available, restrict MediaInfoLib processing to trusted media sources, disable or sandbox automated ingestion pipelines that scan attacker-controlled audio files, and consider running the parser inside a hardened container or seccomp/AppArmor profile to contain heap corruption - the trade-off being added operational complexity and possible throughput loss in transcoding workflows. For desktop users, instruct staff not to open ID3v2-bearing audio files from untrusted senders; this mitigates the UI:R requirement but does not eliminate risk from previously-stored files. Track VulDB entry https://vuldb.com/vuln/365623 for additional remediation detail.

Share

EUVD-2026-31807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy