Description
Tomabo MP4 Converter 3.25.22 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can trigger a buffer overflow by pasting a large payload into the Name parameter when adding a preset in the Video/Audio Formats options, causing the application to crash when Reset All is clicked.
Published: 2026-03-21
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Tomabo MP4 Converter version 3.25.22 contains a buffer overflow flaw that can be exploited by a local attacker. By entering an excessively long string in the Name field when creating a preset under Video/Audio Formats options, the program overflows a buffer and crashes. The result is a denial of service of the application, which can disrupt legitimate usage. The weakness is a classic out‑of‑bounds write, classified as CWE‑787.

Affected Systems

The affected product is Tomabo MP4 Converter, specifically version 3.25.22. No other versions or variants are listed as vulnerable. The CPE identifier confirms that the issue targets this single release.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate to high severity. Exploitability evidence is limited to local attacks, as the overflow occurs within the application context; no remote trigger is known. An EPSS value is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been widely exploited in the wild. Nonetheless, the local nature of the flaw means that users who grant local access to the victim machine (e.g., shared workstations) could cause the application to crash, potentially interrupting workflows or triggering rebounded processes. The available exploit in exploit‑db demonstrates feasibility, but it requires manual interaction.

Generated by OpenCVE AI on March 21, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tomabo MP4 Converter to a patched version once available.
  • If no update exists, avoid creating presets with long names or disable the preset feature until a fix is released.
  • Regularly monitor the application for crashes and review system logs for signs of exploitation.

Generated by OpenCVE AI on March 21, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Tomabo
Tomabo mp4 Converter
Vendors & Products Tomabo
Tomabo mp4 Converter

Sat, 21 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description Tomabo MP4 Converter 3.25.22 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can trigger a buffer overflow by pasting a large payload into the Name parameter when adding a preset in the Video/Audio Formats options, causing the application to crash when Reset All is clicked.
Title Tomabo MP4 Converter 3.25.22 Denial of Service via Name Field
First Time appeared Ether Software
Ether Software easy Video To Mp4 Converter
Weaknesses CWE-787
CPEs cpe:2.3:a:ether_software:easy_video_to_mp4_converter:3.25.22:*:*:*:*:*:*:*
Vendors & Products Ether Software
Ether Software easy Video To Mp4 Converter
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ether Software Easy Video To Mp4 Converter
Tomabo Mp4 Converter
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:41:23.426Z

Reserved: 2026-03-21T12:29:19.364Z

Link: CVE-2019-25554

cve-icon Vulnrichment

Updated: 2026-03-23T15:41:19.895Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T13:16:17.857

Modified: 2026-03-23T14:31:37.267

Link: CVE-2019-25554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:29Z

Weaknesses