Description
MediaMonkey 4.1.23 contains a denial of service vulnerability that allows local attackers to crash the application by opening a specially crafted MP3 file containing an excessively long URL string. Attackers can create a malicious MP3 file with a buffer containing 4000 bytes of data appended to a URL, which causes the application to crash when the file is opened through the File > Open URL dialog.
Published: 2026-03-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

MediaMonkey releases a crash when a user opens a specially crafted MP3 file containing an excessively long URL string. The application fails during processing of this string, causing the program to terminate unexpectedly. The resulting loss of service interrupts the user’s ability to manage music files, and the vulnerability falls under reference CWE-226, a denial‑of‑service weakness caused by improper handling of user‑supplied input.

Affected Systems

Only the specific build of MediaMonkey 4.1.23.1881 for Windows, distributed by VentisMedia, is affected. No other versions or platforms are listed as vulnerable. The issue manifests when the File > Open URL dialog is invoked with a malicious file; therefore installing or running other MediaMonkey editions or non‑Windows systems is not documented as impacted.

Risk and Exploitability

The CVSS score of 6.9 reflects moderate severity, and the EPSS score of less than 1 % indicates that exploit activity is currently rare. The vulnerability is not cataloged in CISA’s KEV list. Attackers must have local access to the machine or persuade a user to open the malicious MP3, which means the vector is inferred as local or social engineering; no remote exploitation is documented. Consequently, the risk is that a victim’s MediaMonkey instance may be unexpectedly terminated, impacting only the affected workstation.

Generated by OpenCVE AI on March 24, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MediaMonkey release from the vendor’s official website, which includes a fix for the URL parsing issue.
  • If a patch is not immediately available, disable the File > Open URL feature or restrict its use to trusted accounts only.
  • Rename or delete any malicious MP3 files that contain unusually long URL strings until a patch is applied.
  • Verify that antivirus or sandboxing solutions are enabled to prevent accidental execution of suspicious media files.
  • Monitor vendor security advisories for updates and apply patches as soon as they appear.

Generated by OpenCVE AI on March 24, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ventismedia
Ventismedia mediamonkey
CPEs cpe:2.3:a:ventismedia:mediamonkey:4.1.23.1881:*:*:*:*:windows:*:*
Vendors & Products Ventismedia
Ventismedia mediamonkey

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Mediamonkey
Mediamonkey mediamonkey
Vendors & Products Mediamonkey
Mediamonkey mediamonkey

Sat, 21 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description MediaMonkey 4.1.23 contains a denial of service vulnerability that allows local attackers to crash the application by opening a specially crafted MP3 file containing an excessively long URL string. Attackers can create a malicious MP3 file with a buffer containing 4000 bytes of data appended to a URL, which causes the application to crash when the file is opened through the File > Open URL dialog.
Title MediaMonkey 4.1.23 Denial of Service via Malformed URL
Weaknesses CWE-226
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mediamonkey Mediamonkey
Ventismedia Mediamonkey
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:24:02.799Z

Reserved: 2026-03-21T12:38:23.575Z

Link: CVE-2019-25571

cve-icon Vulnrichment

Updated: 2026-03-23T16:23:57.983Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T13:16:21.017

Modified: 2026-03-24T20:41:40.150

Link: CVE-2019-25571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:12Z

Weaknesses