CVE-2018-4022

NameCVE-2018-4022
DescriptionA use-after-free vulnerability exists in the way MKVToolNix MKVINFO v25.0.0 handles the MKV (matroska) file format. A specially crafted MKV file can cause arbitrary code execution in the context of the current user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mkvtoolnix (PTS)buster31.0.0-1fixed
bullseye54.0.0+really52.0.0-3fixed
bookworm69.0.0-1fixed
sid70.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mkvtoolnixsourcejessie(not affected)
mkvtoolnixsourcestretch(not affected)
mkvtoolnixsource(unstable)28.2.0-1

Notes

[stretch] - mkvtoolnix <not-affected> (Vulnerable code introduced later)
[jessie] - mkvtoolnix <not-affected> (vulnerable code is not present)
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0694
https://gitlab.com/mbunkus/mkvtoolnix/commit/43021d16c7bcd3f9f70214827755a5163782b633

Search for package or bug name: Reporting problems