Critical security flaw found in VLC Media Player

Germany cybersecurity agency CERT-Bund has discovered a critical flaw in VLC Media Player which could allow for remote code execution on victims’ devices.

If successfully executed, the flaw could grant access to users’ data and allow attackers to modify their files.

“VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp,” explained the report.

WinFuture claims that the issue is present in various desktop versions of the application, including Windows and Linux versions, with macOS iterations being seemingly unaffected.

VLC’s parent company VideoLan has begun developing a patch for the flaw, with work on this fix currently about 60% complete four weeks after it begun.

There is no information on whether this flaw has been used to conduct any attacks, but since the vulnerability is public and not yet fixed, it is likely that the flaw will be exploited more frequently until a fix is rolled out.

Now read: Google finds cheap way out of major “Wi-Spy” lawsuit

Latest news

Partner Content

Show comments

Recommended

Share this article
Critical security flaw found in VLC Media Player