CVE-2005-2756
Description
Apple QuickTime before 7.0.3 allows user-assisted attackers to overwrite memory and execute arbitrary code via a crafted PICT file that triggers an overflow during expansion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.2:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.2:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.3:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:mac_os_x_10.3:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:mac_os_x_10.4:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:*:*:windows:*:*:*:*:*range: <=7.0.2
- (no CPE)range: <7.0.3
Patches
Vulnerability mechanics
Root cause
"Missing bounds checking during PICT file expansion in Apple QuickTime before 7.0.3 leads to a memory overflow."
Attack vector
An attacker crafts a malicious PICT file that, when opened by the user in Apple QuickTime before 7.0.3, triggers a memory overflow during the image expansion process [ref_id=1]. The attack requires user assistance (e.g., tricking the victim into opening the file via email, a web page, or file download). The overflow allows overwriting adjacent memory, which can lead to arbitrary code execution under the privileges of the user running QuickTime.
Affected code
The advisory does not specify the exact function or file path within Apple QuickTime where the overflow occurs. The vulnerability is triggered when QuickTime processes a crafted PICT file during the expansion/decompression phase [ref_id=1].
What the fix does
The advisory does not include a patch diff or detailed remediation steps. Apple addressed this vulnerability in QuickTime 7.0.3, and users are advised to update to that version or later [ref_id=1]. No further technical details about the fix are provided in the available reference.
Preconditions
- inputThe victim must open a crafted PICT file using Apple QuickTime before version 7.0.3.
- networkThe attacker must deliver the malicious PICT file to the victim (e.g., via email attachment, web download, or other user-assisted means).
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- securitytracker.com/idnvdPatchVendor Advisory
- pb.specialised.info/all/adv/quicktime-pict-adv.txtnvdVendor Advisory
- www.kb.cert.org/vuls/id/855118nvdUS Government Resource
- docs.info.apple.com/article.htmlnvd
- secunia.com/advisories/17428nvd
- securityreason.com/securityalert/144nvd
- www.osvdb.org/20478nvd
- www.securityfocus.com/archive/1/415714/30/0/threadednvd
- www.securityfocus.com/bid/15309nvd
- www.vupen.com/english/advisories/2005/2293nvd
News mentions
0No linked articles in our index yet.