CVE-2018-25238
Denial of Service in Microsoft VSCO Search via Long Input
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | vsco | 1.1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1260 | The product allows address regions to overlap, which can result in the bypassing of intended memory protection. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Microsoft VSCO version 1.1.1.0 and is a denial of service (DoS) issue caused by improper handling of input in the search functionality.
A local attacker can crash the application by submitting an excessively long stringβspecifically, a buffer of 5000 charactersβinto the search bar and then navigating back, which triggers the application to crash.
This happens due to a buffer overflow or improper handling of protected memory ranges, leading to the application becoming unresponsive or crashing.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service condition where the VSCO application crashes and becomes unavailable to the user.
Since the attack requires local access and no privileges or user interaction, an attacker with local access can disrupt the availability of the application, potentially interrupting workflows or causing loss of productivity.
The vulnerability does not affect confidentiality or integrity but has a high impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the denial of service condition on the affected VSCO application version 1.1.1.0. A proof-of-concept involves creating a payload of 5000 characters and pasting it into the application's search bar.
- Create a file (e.g., PoC.txt) containing 5000 'A' characters.
- Copy the contents of this file.
- Paste the copied string into the VSCO application's search bar.
- Perform a search and then navigate back to the home screen.
If the application crashes, the vulnerability is present.
Example command to create the payload file using Python:
- python -c "print('A'*5000)" > PoC.txt
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the search functionality with excessively long input strings in VSCO version 1.1.1.0.
Restrict local user access to the application to prevent malicious input.
Monitor for any crashes related to the search functionality and inform users about the risk of pasting large strings.
Since this is a local vulnerability, ensure that only trusted users have access to the system running VSCO.
Check for any available updates or patches from Microsoft or the Microsoft Store that address this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described is a denial of service (DoS) issue that allows local attackers to crash the Microsoft VSCO application by submitting an excessively long string through the search functionality.
There is no information provided in the context or resources about any impact on data confidentiality, integrity, or privacy that would relate to compliance with standards such as GDPR or HIPAA.
Since the vulnerability only causes an application crash without indication of data breach or unauthorized data access, its direct effect on compliance with common standards and regulations is not specified.