Description
InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by importing a maliciously crafted text file. Attackers can create a text file containing 6000 bytes of data and import it through the Edit menu's Import function to trigger an application crash.
Published: 2026-04-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

InfraRecorder 0.53 allows a local attacker to cause a denial of service by importing a specially crafted text file. The attacker creates a file containing 6000 bytes and imports it through the Edit menu's Import function, which triggers the application to crash. This is a classic example of CWE-789, an unchecked input for buffer or output size limitation, leading to an overflow that terminates the application.

Affected Systems

The vulnerability affects users running InfraRecorder version 0.53 on any platform supported by the application. The only affected component is the file import functionality exposed in the Edit menu.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating moderate severity, and an EPSS score of less than 1%, meaning it is unlikely to be actively exploited. It is not listed in the CISA KEV catalog. The attack vector is local; an attacker must have access to the user’s machine to craft and import the malicious file. Once executed, the crash causes a denial of service of the application only.

Generated by OpenCVE AI on April 28, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for official updates from InfraRecorder and install the latest version that addresses the text file import flaw
  • If no patch is available, disable or remove the Import text file feature within the application or restrict it to trusted users
  • Configure the application to run with the minimum necessary permissions so that a crash does not affect the broader system
  • Limit imported file sizes to a safe threshold (e.g., less than 1 KB) to prevent triggering the crash

Generated by OpenCVE AI on April 28, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Infrarecorder
Infrarecorder infrarecorder
Vendors & Products Infrarecorder
Infrarecorder infrarecorder

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by importing a maliciously crafted text file. Attackers can create a text file containing 6000 bytes of data and import it through the Edit menu's Import function to trigger an application crash.
Title InfraRecorder 0.53 Denial of Service via txt File Import
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Infrarecorder Infrarecorder
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-27T13:31:18.123Z

Reserved: 2026-04-26T12:57:40.615Z

Link: CVE-2018-25274

cve-icon Vulnrichment

Updated: 2026-04-27T13:09:25.430Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T22:17:27.780

Modified: 2026-04-27T18:55:32.883

Link: CVE-2018-25274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:30:32Z

Weaknesses