Germany cybersecurity agency CERT-Bund has discovered a critical flaw in VLC Media Player which could allow for remote code execution on victims’ devices.
If successfully executed, the flaw could grant access to users’ data and allow attackers to modify their files.
“VideoLAN VLC media player 18.104.22.168 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp,” explained the report.
WinFuture claims that the issue is present in various desktop versions of the application, including Windows and Linux versions, with macOS iterations being seemingly unaffected.
VLC’s parent company VideoLan has begun developing a patch for the flaw, with work on this fix currently about 60% complete four weeks after it begun.
There is no information on whether this flaw has been used to conduct any attacks, but since the vulnerability is public and not yet fixed, it is likely that the flaw will be exploited more frequently until a fix is rolled out.