Unrated severityNVD Advisory· Published Jan 25, 2010· Updated Apr 29, 2026

CVE-2009-4257

Description

Heap-based buffer overflow in datatype/smil/common/smlpkt.cpp in smlrender.dll in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10 and 11.0.0, and Helix Player 10.x and 11.0.0 allows remote attackers to execute arbitrary code via an SMIL file with crafted string lengths.

Affected products

RealNetworks/Helix Player3 versions
cpe:2.3:a:realnetworks:helix_player:10.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:realnetworks:helix_player:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:helix_player:11.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:helix_player:11.0.1:*:*:*:*:*:*:*
RealNetworks/Realplayer12 versions
cpe:2.3:a:realnetworks:realplayer:10.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:realnetworks:realplayer:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:10.0:*:linux:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:10.5:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0.0:*:linux:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0.1:*:linux:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer:11.0.5:*:*:*:*:*:*:*
RealNetworks/Realplayer Enterprise
cpe:2.3:a:realnetworks:realplayer_enterprise:*:*:*:*:*:*:*:*
RealNetworks/Realplayer Sp2 versions
cpe:2.3:a:realnetworks:realplayer_sp:1.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:realnetworks:realplayer_sp:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:realnetworks:realplayer_sp:1.0.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

securitytracker.com/idnvdPatch
service.real.com/realplayer/security/01192010_player/en/nvdPatchVendor Advisory
www.vupen.com/english/advisories/2010/0178nvdPatchVendor Advisory
www.zerodayinitiative.com/advisories/ZDI-10-007/nvdPatch
secunia.com/advisories/38218nvdVendor Advisory
secunia.com/advisories/38450nvdVendor Advisory
lists.helixcommunity.org/pipermail/datatype-cvs/2008-September/008678.htmlnvd
www.redhat.com/support/errata/RHSA-2010-0094.htmlnvd
www.securityfocus.com/archive/1/509105/100/0/threadednvd
www.securityfocus.com/bid/37880nvd
bugzilla.redhat.com/show_bug.cginvd
exchange.xforce.ibmcloud.com/vulnerabilities/55798nvd
helixcommunity.org/viewcvs/datatype/smil/common/smlpkt.cppnvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11110nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000