CVE-2014-2299

Exp

Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.

Published: 2014-03-11 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2014-2299 is rated High Exploit Risk (81.7/100): CVSS Critical severity, with high exploitation likelihood (EPSS 47.14%, 99th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2014-2299

EDB-ID Source Kind Published Link
33069 exploit_db edb 2014-04-28 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2014-2299

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 66.92% 47.14% -19.78%
2 2026-05-01 67.96% 66.92% -1.04%
3 2026-03-13 67.96%

Full EPSS history (20 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-2299

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.3 2.0 HIGH
AV:N/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 8.6 10.0 [email protected]

Weakness enumeration for CVE-2014-2299

OS Trackers for CVE-2014-2299

vendor priority summary link
debian not yet assigned CVE-2014-2299 not yet assigned priority: Debian including 1 source packages (wireshark), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2014-2299
gentoo normal CVE-2014-2299: 1 GLSA(s) (201406-33), 1 atom(s) (net-analyzer/wireshark); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2014-2299
redhat medium https://access.redhat.com/security/cve/CVE-2014-2299
suse critical CVE-2014-2299 severity critical: SUSE including 56 source package names (libwireshark18-4.4.7-160000.2.2, libwireshark8-2.2.7-47.1, …), 169 product×package rows across 46 product lines (HPE Helion OpenStack 8, SUSE Linux Enterprise Desktop 11 SP3, … (46 product lines)): Known Not Affected 87, Fixed 82. https://www.suse.com/security/cve/CVE-2014-2299/
ubuntu medium CVE-2014-2299 medium priority: Ubuntu including 1 source packages (wireshark), 12 status rows across 12 suites (lucid, precise, quantal, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): released 8, ignored 4. https://ubuntu.com/security/CVE-2014-2299

Affected software / configurations for CVE-2014-2299

Vendor Product Version Raw CPE
wireshark wireshark 1.8.0 cpe:2.3:a:wireshark:wireshark:1.8.0:*:*:*:*:*:*:*
wireshark wireshark 1.8.1 cpe:2.3:a:wireshark:wireshark:1.8.1:*:*:*:*:*:*:*
wireshark wireshark 1.8.2 cpe:2.3:a:wireshark:wireshark:1.8.2:*:*:*:*:*:*:*
wireshark wireshark 1.8.3 cpe:2.3:a:wireshark:wireshark:1.8.3:*:*:*:*:*:*:*
wireshark wireshark 1.8.4 cpe:2.3:a:wireshark:wireshark:1.8.4:*:*:*:*:*:*:*
wireshark wireshark 1.8.5 cpe:2.3:a:wireshark:wireshark:1.8.5:*:*:*:*:*:*:*
wireshark wireshark 1.8.6 cpe:2.3:a:wireshark:wireshark:1.8.6:*:*:*:*:*:*:*
wireshark wireshark 1.8.7 cpe:2.3:a:wireshark:wireshark:1.8.7:*:*:*:*:*:*:*
wireshark wireshark 1.8.8 cpe:2.3:a:wireshark:wireshark:1.8.8:*:*:*:*:*:*:*
wireshark wireshark 1.8.9 cpe:2.3:a:wireshark:wireshark:1.8.9:*:*:*:*:*:*:*
wireshark wireshark 1.8.10 cpe:2.3:a:wireshark:wireshark:1.8.10:*:*:*:*:*:*:*
wireshark wireshark 1.8.11 cpe:2.3:a:wireshark:wireshark:1.8.11:*:*:*:*:*:*:*
wireshark wireshark 1.8.12 cpe:2.3:a:wireshark:wireshark:1.8.12:*:*:*:*:*:*:*
wireshark wireshark 1.10.0 cpe:2.3:a:wireshark:wireshark:1.10.0:*:*:*:*:*:*:*
wireshark wireshark 1.10.1 cpe:2.3:a:wireshark:wireshark:1.10.1:*:*:*:*:*:*:*
wireshark wireshark 1.10.2 cpe:2.3:a:wireshark:wireshark:1.10.2:*:*:*:*:*:*:*
wireshark wireshark 1.10.3 cpe:2.3:a:wireshark:wireshark:1.10.3:*:*:*:*:*:*:*
wireshark wireshark 1.10.4 cpe:2.3:a:wireshark:wireshark:1.10.4:*:*:*:*:*:*:*
wireshark wireshark 1.10.5 cpe:2.3:a:wireshark:wireshark:1.10.5:*:*:*:*:*:*:*

References for CVE-2014-2299

URL Tags
http://lists.opensuse.org/opensuse-updates/2014-03/msg00046.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00047.html
http://osvdb.org/show/osvdb/104199
http://packetstormsecurity.com/files/126337/Wireshark-1.8.12-1.10.5-wiretap-mpeg.c-Stack-Buffer-Overflow.html
http://rhn.redhat.com/errata/RHSA-2014-0341.html
http://rhn.redhat.com/errata/RHSA-2014-0342.html
http://secunia.com/advisories/57480
http://secunia.com/advisories/57489
http://www.debian.org/security/2014/dsa-2871
http://www.exploit-db.com/exploits/33069
http://www.securityfocus.com/bid/66066
http://www.securitytracker.com/id/1029907
http://www.wireshark.org/security/wnpa-sec-2014-04.html Vendor Advisory
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843
https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=f567435ac7140c96a5de56dbce3d5e7659af4d09
cvelogic Threat Intelligence