{"id":"CVE-2019-13615","details":"libebml before 1.3.6, as used in the MKV module in VideoLAN VLC Media Player binaries before 3.0.3, has a heap-based buffer over-read in EbmlElement::FindNextElement.","modified":"2026-04-11T16:44:40.592263Z","published":"2019-07-16T17:15:12.580Z","references":[{"type":"WEB","url":"https://github.com/Matroska-Org/libebml/compare/release-1.3.5...release-1.3.6"},{"type":"WEB","url":"https://usn.ubuntu.com/4073-1/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/109304"},{"type":"REPORT","url":"https://trac.videolan.org/vlc/ticket/22474"},{"type":"FIX","url":"https://github.com/Matroska-Org/libebml/commit/05beb69ba60acce09f73ed491bb76f332849c3a0"},{"type":"FIX","url":"https://github.com/Matroska-Org/libebml/commit/b66ca475be967547af9a3784e720fbbacd381be6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/matroska-org/libebml","events":[{"introduced":"0"},{"fixed":"05beb69ba60acce09f73ed491bb76f332849c3a0"},{"fixed":"b66ca475be967547af9a3784e720fbbacd381be6"}],"database_specific":{"source":"REFERENCES"}}],"versions":["release-1.3.0","release-1.3.1","release-1.3.2","release-1.3.3","release-1.3.4","release-1.3.5"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["249363715083438192575858934752190846262","155038823291976621638196136620035079257","238334458261036264088903847147222440374","31736025595015518718928095430263371379","25033995640621007982586328189385965633","55678892275375892865694476476557895199","211731725038840399897453304366352057171","268358844292664959502256022675968497550","136758609810238464836257810036947271362","257757031048684473420359714500939234408","259883402637309694127599617705892046253","265086569346827360124167159965842451724"],"threshold":0.9},"id":"CVE-2019-13615-063c719e","target":{"file":"src/EbmlElement.cpp"},"deprecated":false,"source":"https://github.com/matroska-org/libebml/commit/05beb69ba60acce09f73ed491bb76f332849c3a0","signature_version":"v1","signature_type":"Line"},{"digest":{"function_hash":"209908443495593110356754806361852486063","length":1792},"id":"CVE-2019-13615-832824af","target":{"function":"EbmlElement::FindNextElement","file":"src/EbmlElement.cpp"},"deprecated":false,"source":"https://github.com/matroska-org/libebml/commit/05beb69ba60acce09f73ed491bb76f332849c3a0","signature_version":"v1","signature_type":"Function"},{"digest":{"function_hash":"121084963314328406384183393807080098377","length":1852},"id":"CVE-2019-13615-ff01e5be","target":{"function":"EbmlElement::FindNextElement","file":"src/EbmlElement.cpp"},"deprecated":false,"source":"https://github.com/matroska-org/libebml/commit/b66ca475be967547af9a3784e720fbbacd381be6","signature_version":"v1","signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T16:44:40Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13615.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/videolan/vlc-3.0","events":[{"introduced":"0"},{"fixed":"412899cb41b8395dba2f54f3e03d5b5ac8f0ef6b"}],"database_specific":{"cpe":"cpe:2.3:a:videolan:vlc_media_player:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"3.0.3"}]}}],"versions":["0.9.0","0.9.0-test0","0.9.0-test1","0.9.0-test2","0.9.0-test3","1.0.0-pre1","1.0.0-pre2","1.0.0-rc1","1.1.0-ff","1.1.0-pre1","1.2.0-pre1","1.3.0-git","2.1.0-git","2.2.0-git","3.0.0","3.0.0-1","3.0.0-2","3.0.0-git","3.0.0-rc1","3.0.0-rc2","3.0.0-rc3","3.0.0-rc4","3.0.0-rc5","3.0.0-rc6","3.0.0-rc7","3.0.0-rc8","3.0.0.1","3.0.1","3.0.2","svn-trunk"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13615.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}