CVE-2020-37050

CVE-2020-37050 is a buffer overflow vulnerability (CWE-120) affecting Quick Player version 1.3. The flaw enables attackers to execute arbitrary code by crafting a malicious .m3l file containing a carefully constructed payload. It is triggered through the application's file loading mechanism when processing the specially crafted file, potentially leading to remote code execution. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Any remote attacker can exploit this vulnerability without authentication or user interaction prerequisites per the CVSS vector. By delivering the malicious .m3l file, the attacker achieves high-impact remote code execution, compromising confidentiality, integrity, and availability on the targeted system.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/quick-player-ml-buffer-overflow) and Exploit-DB (https://www.exploit-db.com/exploits/48564), detail the issue. An archived blog post by whitecr0wz (https://web.archive.org/web/20201022211753/https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/) provides exploitation analysis, accompanied by imagery (https://web.archive.org/web/20210105222205/https://whitecr0wz.github.io/assets/img/Findings6/18.gif). No specific patch or mitigation steps are outlined in the provided information.

A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for practical exploitation in environments running the affected Quick Player version downloadable from sources like CNET (https://download.cnet.com/quick-player/3000-2168_4-10871417.html). The CVE was published on 2026-01-30.