CVE-2018-25238
Received Received - Intake
Denial of Service in Microsoft VSCO Search via Long Input

Publication date: 2026-04-04

Last updated on: 2026-04-04

Assigner: VulnCheck

Description
VSCO 1.1.1.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string through the search functionality. Attackers can paste a buffer of 5000 characters into the search bar and navigate back to trigger an application crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-04
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25238
EUVD
EUVD-2018-21732
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microsoft vsco 1.1.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1260 The product allows address regions to overlap, which can result in the bypassing of intended memory protection.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Microsoft VSCO version 1.1.1.0 and is a denial of service (DoS) issue caused by improper handling of input in the search functionality.

A local attacker can crash the application by submitting an excessively long stringβ€”specifically, a buffer of 5000 charactersβ€”into the search bar and then navigating back, which triggers the application to crash.

This happens due to a buffer overflow or improper handling of protected memory ranges, leading to the application becoming unresponsive or crashing.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition where the VSCO application crashes and becomes unavailable to the user.

Since the attack requires local access and no privileges or user interaction, an attacker with local access can disrupt the availability of the application, potentially interrupting workflows or causing loss of productivity.

The vulnerability does not affect confidentiality or integrity but has a high impact on availability.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the denial of service condition on the affected VSCO application version 1.1.1.0. A proof-of-concept involves creating a payload of 5000 characters and pasting it into the application's search bar.

  • Create a file (e.g., PoC.txt) containing 5000 'A' characters.
  • Copy the contents of this file.
  • Paste the copied string into the VSCO application's search bar.
  • Perform a search and then navigate back to the home screen.

If the application crashes, the vulnerability is present.

Example command to create the payload file using Python:

  • python -c "print('A'*5000)" > PoC.txt
Mitigation Strategies

Immediate mitigation steps include avoiding the use of the search functionality with excessively long input strings in VSCO version 1.1.1.0.

Restrict local user access to the application to prevent malicious input.

Monitor for any crashes related to the search functionality and inform users about the risk of pasting large strings.

Since this is a local vulnerability, ensure that only trusted users have access to the system running VSCO.

Check for any available updates or patches from Microsoft or the Microsoft Store that address this vulnerability.

Compliance Impact

The vulnerability described is a denial of service (DoS) issue that allows local attackers to crash the Microsoft VSCO application by submitting an excessively long string through the search functionality.

There is no information provided in the context or resources about any impact on data confidentiality, integrity, or privacy that would relate to compliance with standards such as GDPR or HIPAA.

Since the vulnerability only causes an application crash without indication of data breach or unauthorized data access, its direct effect on compliance with common standards and regulations is not specified.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart