CVE-2008-4654

Exp

Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.

Published: 2008-10-22 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-4654 is rated High Exploit Risk (81.8/100): CVSS Critical severity, with high exploitation likelihood (EPSS 57.55%, 99th percentile). 4 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-4654

EDB-ID Source Kind Published Link
16629 exploit_db edb 2011-02-02 Exploit-DB ↗
6825 exploit_db edb 2008-10-23 Exploit-DB ↗
6798 exploit_db edb 2008-10-21 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-4654

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 82.12% 57.55% -24.58%
2 2026-03-30 74.62% 82.12% +7.51%
3 2026-01-28 74.62%

Full EPSS history (27 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-4654

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2008-4654

OS Trackers for CVE-2008-4654

vendor priority summary link
debian low CVE-2008-4654 low priority: Debian including 1 source packages (vlc), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2008-4654
ubuntu low CVE-2008-4654 low priority: Ubuntu including 1 source packages (vlc), 6 status rows across 6 suites (dapper, gutsy, hardy, intrepid, jaunty, upstream): not-affected 4, needed 1, released 1. https://ubuntu.com/security/CVE-2008-4654

Affected software / configurations for CVE-2008-4654

Vendor Product Version Raw CPE
videolan vlc_media_player 0.9 cpe:2.3:a:videolan:vlc_media_player:0.9:*:*:*:*:*:*:*
videolan vlc_media_player 0.9.1 cpe:2.3:a:videolan:vlc_media_player:0.9.1:*:*:*:*:*:*:*
videolan vlc_media_player 0.9.2 cpe:2.3:a:videolan:vlc_media_player:0.9.2:*:*:*:*:*:*:*
videolan vlc_media_player 0.9.3 cpe:2.3:a:videolan:vlc_media_player:0.9.3:*:*:*:*:*:*:*
videolan vlc_media_player 0.9.4 cpe:2.3:a:videolan:vlc_media_player:0.9.4:*:*:*:*:*:*:*

References for CVE-2008-4654

URL Tags
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502726
http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=fde9e1cc1fe1ec9635169fa071e42b3aa6436033
http://git.videolan.org/?p=vlc.git%3Ba=commitdiff%3Bh=26d92b87bba99b5ea2e17b7eaa39c462d65e9133
http://secunia.com/advisories/32339 Vendor Advisory
http://securityreason.com/securityalert/4460
http://www.openwall.com/lists/oss-security/2008/10/19/2
http://www.securityfocus.com/archive/1/497587/100/0/threaded
http://www.securityfocus.com/bid/31813
http://www.trapkit.de/advisories/TKADV2008-010.txt Exploit
http://www.videolan.org/security/sa0809.html Vendor Advisory
http://www.vupen.com/english/advisories/2008/2856
https://exchange.xforce.ibmcloud.com/vulnerabilities/45960
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14803
cvelogic Threat Intelligence