Critical VLC Media Player Vulnerability Discovered By German Researchers

The popular media playing software VLC was recently found to have a critical security flaw. Upon exploit, this flaw can allow potential attackers to execute remote code and conduct other malicious activities. The vendors are presently working on a fix for this VLC Media Player vulnerability.

VLC Media Player Vulnerability

Researchers from German cybersecurity firm CERT-Bund have spotted a critical security flaw in VLC Media Player. This flaw, upon exploit, can lead to serious consequences.

As stated in their advisory [translated],

A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.

The vulnerability has received the CVE number CVE-2019-13615 with a CVSS v3.0 base score of 9.8. This critical security flaw is basically a heap-based buffer over-read affecting the software. As per its analysis description,

VideoLAN VLC media player has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.

This security flaw allegedly affects the software across all major operating systems, including Windows, Linux, and Unix.

Patch On The Way

VLC has confirmed the presence of the security flaw. The vendors are presently working to fix this VLC Media Player vulnerability. However, until the time of writing this article, the work status merely shows a 60% progress. That means the firm is still in the process of developing a patch.

The status of the fix for this flaw can be tracked via the ticket #22474.

For now, there seems no possible mitigation or workaround to stay safe from potential exploit. Therefore, the users of this popular media player should avoid using this tool for the time being.

VLC Media Player is popular open-source software. Owing to its seamless compatibility with major operating systems, and the support for most media files types, it is famous among the public. Presently, the website of the software shows over 3 billion downloads.

Take your time to comment on this article.

Related posts

Microsoft Patch Tuesday May 2024 Fixed 3 Zero-Days

Vulnerabilities In Cinterion Cellular Modems Threatened IoT And Industrial Devices

Google Admits Active Exploitation For Chrome Browser Zero-Day