Buffer Overflow Vulnerability in Shotcut 25.10.31

Vulnerability Overview

ByteScan Security Research discovered a buffer overflow vulnerability in Shotcut 25.10.31, a popular open-source video editing software. The vulnerability affects the MLT Framework's image processing component, potentially causing denial of service. MITRE assigned CVE-2025-65834 on December 13, 2025.

Technical Description

A memory access violation occurs when Shotcut processes MLT project files with manipulated width and height parameters. When these values are set to extremely large numbers, the application attempts to allocate excessive memory during image processing, triggering a buffer overflow in the mlt_image_fill_white function within the MLT Framework.

Affected Component

MLT Framework image processing module, specifically the mlt_image_fill_white function responsible for memory allocation and image buffer initialization.

Attack Vector

The vulnerability can be exploited through a maliciously crafted MLT project file with extreme dimension parameters. The attack is classified as:

• Attack Type: Local (requires user interaction)
• Complexity: Low (trivial to exploit)
• User Interaction: Required (user must open malicious file)
• Privileges Required: None

Impact Assessment

The vulnerability allows an attacker to cause application crashes through specially crafted MLT files. While the impact is limited to denial of service (no code execution or data theft), it could result in:

• Loss of unsaved work in active Shotcut projects
• Potential data corruption if crash occurs during save operations
• User productivity disruption
• Social engineering attack vector (disguised malicious project files)

CVSS Score

Pending official analysis from the National Vulnerability Database (NVD). Preliminary assessment suggests Medium severity based on local attack vector requiring user interaction.

Disclosure Timeline

Mitigation & Recommendations

For End Users

• Exercise caution when opening MLT project files from untrusted sources
• Save work frequently to minimize potential data loss
• Monitor vendor announcements for security patches
• Consider using alternative video editing software for processing untrusted projects

For Developers

• Implement input validation for width and height parameters in MLT files
• Add bounds checking before memory allocation based on user-supplied dimensions
• Display warnings when processing files with unusual parameter values
• Implement safe memory allocation wrappers with overflow detection

References & Resources

• Official CVE Entry: MITRE CVE-2025-65834
• Shotcut Official Website: shotcut.org
• MLT Framework: mltframework.org
• Shotcut GitHub: github.com/mltframework/shotcut
• National Vulnerability Database: NVD Entry (pending publication)

Responsible Disclosure Policy

ByteScan follows industry-standard responsible disclosure practices for all security vulnerabilities we discover:

• Immediate Notification: We notify affected vendors immediately upon vulnerability discovery
• Coordinated Timeline: We work with vendors to establish reasonable disclosure timelines (typically 90 days)
• No Premature Disclosure: We do not release exploit code or detailed technical information before vendor patches are available
• User Protection: Our priority is protecting end users while giving vendors adequate time to develop and deploy fixes
• Good Faith Research: All security research is conducted ethically and in compliance with applicable laws

For this vulnerability, we are coordinating with the Shotcut/MLT Framework development team and will release full technical details after patch deployment or March 13, 2026, whichever comes first.