Security flaw in VLC media player allows attackers to execute arbitrary code
- The free media player software contains this code execution flaw in versions 18.104.22.168 and earlier.
- VideoLAN, the developer of the VLC media player is yet to patch this major issue in the software.
The popular opensource multimedia software, VLC media player, was found having a critical security flaw that allowed attackers to execute arbitrary code. The vulnerability, tracked as CVE-2019-13615, was a buffer over-read flaw that led to code execution in the software.
The flaw was found in version 22.214.171.124 of VLC and its believed to affect all the previous versions. As of now, the flaw still remains in the current version (126.96.36.199) of the VLC media player.
- A security advisory by the NIST highlights the details of the issue. “VideoLAN VLC media player 188.8.131.52 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp,” reads the advisory.
- The flaw has a CVSS score of 9.8 with the attack complexity being rated as low.
- VideoLAN, the developer group behind the VLC media player, is tracking the flaw on its issue tracking platform. A fix is expected soon.
- No exploits or instances abusing the flaw has been recorded currently.
In June, the VLC media player was found containing two critical vulnerabilities that led to arbitrary code execution. These flaws could be exploited if users had opened malicious files sent by attackers.
However, these flaws were fixed immediately upon being notified by a security researcher. They were patched in version 3.0.7.