A security researcher from Pen Test Partners, Symeon Paraschoudis uncovered a critical double-free vulnerability in VLC media player that could allow an attacker to execute arbitrary code on target systems.
Buffer overflow vulnerability
The second vulnerability which was reported through the HackerOne bug bounty program is a buffer overflow vulnerability.
Both vulnerabilities patched
VideoLAN has released patches in the latest version VLC 3.0.7 that addresses both the vulnerabilities.
“The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied,” VideoLAN recommends in the advisory.