CVE-2019-25604
Published: 22 March 2026
Summary
CVE-2019-25604 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Dvd X Player (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2019-25604 is a local buffer overflow vulnerability (CWE-787) affecting DVDXPlayer Pro 5.5. The flaw occurs in the application's handling of playlist files, specifically .plf files, where insufficient bounds checking leads to a buffer overflow combined with structured exception handling (SEH) overwrite. This vulnerability, published on 2026-03-22 and scored 8.4 on CVSS 3.1 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enables local attackers to execute arbitrary code when a victim opens a malicious playlist.
Local, unprivileged attackers can exploit the vulnerability by crafting a specially designed .plf file that includes shellcode and NOP sleds. Upon loading the file in DVDXPlayer Pro 5.5, the buffer overflow corrupts memory and hijacks the SEH chain, allowing redirection of execution flow to the attacker's shellcode. Successful exploitation grants arbitrary code execution with the privileges of the application process, potentially enabling further system compromise depending on the user's context.
Advisories detail the issue, including a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/46962 and a VulnCheck advisory at https://www.vulncheck.com/advisories/dvdxplayer-pro-local-buffer-overflow-with-seh. The vendor's download page is available at http://www.dvd-x-player.com/download.html#dvdPlayer, though no specific patch or mitigation details are provided in the CVE description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19950
Vulnerability details
DVDXPlayer Pro 5.5 contains a local buffer overflow vulnerability with structured exception handling that allows local attackers to execute arbitrary code by crafting malicious playlist files. Attackers can create a specially crafted .plf file containing shellcode and NOP sleds that…
more
overflows a buffer and hijacks the SEH chain to execute arbitrary code with application privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local buffer overflow in playlist file parser enables arbitrary code execution upon opening a malicious .plf file, directly corresponding to user execution of a malicious file.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of playlist file inputs to enforce bounds checking, directly preventing the buffer overflow in .plf file parsing exploited in CVE-2019-25604.
SI-16 implements memory protections like DEP and ASLR that thwart SEH chain hijacking and arbitrary code execution from the buffer overflow in DVDXPlayer Pro.
SI-2 ensures timely flaw remediation by patching the specific buffer overflow vulnerability in DVDXPlayer Pro 5.5 handling of .plf files.