CVE-2019-25350
Published: 18 February 2026
Summary
CVE-2019-25350 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Xmedia Recode (inferred from references). Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25350 is a denial of service vulnerability in XMedia Recode version 3.4.8.6. The flaw allows attackers to crash the application by loading a specially crafted .m3u playlist file containing an oversized buffer. It is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
The vulnerability can be exploited by any remote attacker with low complexity and no required privileges. An attacker creates a malicious .m3u file and tricks a user into opening it within XMedia Recode 3.4.8.6, triggering an application crash. This results in denial of service for the affected instance, with no impact on confidentiality or integrity.
Advisories and resources include a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/47679 and a detailed advisory from VulnCheck at https://www.vulncheck.com/advisories/xmedia-recode-mu-denial-of-service. The official XMedia Recode website at https://www.xmedia-recode.de/ and its download page at https://www.xmedia-recode.de/download.php provide access to potentially patched versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19637
Vulnerability details
XMedia Recode 3.4.8.6 contains a denial of service vulnerability that allows attackers to crash the application by loading a specially crafted .m3u playlist file. Attackers can create a malicious .m3u file with an oversized buffer to trigger an application crash…
more
when the file is opened.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables delivery of malicious .m3u file that must be opened by the user (T1204.002) to trigger the buffer-related crash/DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires applying vendor patches to XMedia Recode, directly eliminating the buffer overflow vulnerability in .m3u file parsing.
Denial-of-service protection implements safeguards like resource limits to prevent application crashes from oversized buffers in crafted .m3u files.
Information input validation ensures .m3u playlist files are checked for oversized buffers before processing, blocking the crash trigger.