Cyber Resilience

CVE-2019-25350

MediumPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 12.9th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25350 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Xmedia Recode (inferred from references). Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-25350 is a denial of service vulnerability in XMedia Recode version 3.4.8.6. The flaw allows attackers to crash the application by loading a specially crafted .m3u playlist file containing an oversized buffer. It is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

The vulnerability can be exploited by any remote attacker with low complexity and no required privileges. An attacker creates a malicious .m3u file and tricks a user into opening it within XMedia Recode 3.4.8.6, triggering an application crash. This results in denial of service for the affected instance, with no impact on confidentiality or integrity.

Advisories and resources include a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47679 and a detailed advisory from VulnCheck at https://www.vulncheck.com/advisories/xmedia-recode-mu-denial-of-service. The official XMedia Recode website at https://www.xmedia-recode.de/ and its download page at https://www.xmedia-recode.de/download.php provide access to potentially patched versions.

EU & UK References

Vulnerability details

XMedia Recode 3.4.8.6 contains a denial of service vulnerability that allows attackers to crash the application by loading a specially crafted .m3u playlist file. Attackers can create a malicious .m3u file with an oversized buffer to trigger an application crash…

more

when the file is opened.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Directly enables delivery of malicious .m3u file that must be opened by the user (T1204.002) to trigger the buffer-related crash/DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40902Shared CWE-770
CVE-2024-12537Shared CWE-770
CVE-2025-51846Shared CWE-770
CVE-2021-47877Shared CWE-770
CVE-2020-36950Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2026-1718Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770

Affected Assets

Xmedia Recode
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires applying vendor patches to XMedia Recode, directly eliminating the buffer overflow vulnerability in .m3u file parsing.

prevent

Denial-of-service protection implements safeguards like resource limits to prevent application crashes from oversized buffers in crafted .m3u files.

prevent

Information input validation ensures .m3u playlist files are checked for oversized buffers before processing, blocking the crash trigger.

References