SPlayer version 3.7 and earlier is vulnerable to a stack-based buffer overflow when processing HTTP responses containing an overly long Content-Type header. The vulnerability occurs due to improper bounds checking on the header value, allowing an attacker to overwrite the Structured Exception Handler (SEH) and execute arbitrary code. Exploitation requires the victim to open a media file that triggers an HTTP request to a malicious server, which responds with a crafted Content-Type header.
Security readout for executives and security teams
Plain-English summary
CVE-2011-10022 affects legacy SPlayer 3.7 and earlier. A malicious server can return an oversized Content-Type header after a user opens media that causes SPlayer to make an HTTP request. Successful exploitation could run code as the user. Exposure is likely limited to endpoints still using old SPlayer.
Executive priority
Treat as high priority for environments with legacy desktop media software. The business risk is endpoint compromise after user interaction, not broad unauthenticated server exposure. Prioritize rapid inventory, removal, and replacement over emergency internet-edge response.
Technical view
The issue is a stack-based buffer overflow in SPlayer HTTP response header handling. Improper bounds checking on Content-Type can corrupt memory, including SEH, with potential arbitrary code execution. The CVSS 4.0 score is 8.6. The bundled affected metadata is inconsistent, so validate against vendor and advisory records.
Likely exposure
Organizations are exposed if Windows endpoints have SPlayer 3.7 or earlier installed and users can open untrusted media or playlist content that triggers network retrieval. This appears most relevant to legacy desktop software inventories rather than server infrastructure.
Exploitation context
Public exploit references are listed, including Exploit-DB and Metasploit sources. The bundle says CISA KEV is false, and no cited source in the bundle confirms active exploitation. Exploitation requires user interaction with media content.
Researcher notes
The strongest evidence describes SPlayer 3.7 and earlier, but the affected record in the bundle lists version "0" with defaultStatus "unaffected." Resolve that discrepancy during triage. Public exploit artifacts exist, but active exploitation is not established by the provided sources.
Mitigation direction
Inventory endpoints for SPlayer and identify versions 3.7 or earlier.
Remove SPlayer where it is not business-required.
Replace or upgrade SPlayer after checking vendor guidance.
Restrict opening media from untrusted links or sources.
Use endpoint controls to block unknown legacy media players.
Validation and detection
Check software inventory for SPlayer installations and installed versions.
Review endpoint telemetry for recent SPlayer execution.
Confirm whether SPlayer handles web-linked media in your environment.
Check vendor and advisory sources for current remediation guidance.
Track this CVE separately from KEV-based prioritization.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-120: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-120 · source CWE mapping
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.