Update: VLC Media Player Plagued By Unpatched Critical RCE Flaw

VLC bug bounty vulnerability

A patch does not yet exist for a critical buffer overflow vulnerability in VLC Media Player that could enable remote code execution.


After a German security agency reported a critical vulnerability existed in VLC open-source media player that could enable remote code execution and other malicious actions, the developers of VLC said that the media player is not vulnerable.

The VLC media player, developed by the VideoLAN project, is used by more than 3.1 billion users. The vulnerability (CVE-2019-13615) exists in the Windows, Linux and UNIX versions of VLC (the latest version of the media player) according to the National Vulnerability Database. There is no patch to patch the vulnerability, though no exploitation of the vulnerability has been observed yet, according to German security agency CERT-Bund.

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” according to a release by CERT-Bund posted over the weekend.

VideoLAN did not respond to a request for comment from Threatpost.

However, in a Tweet, VLC said “the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.”

While details of the vulnerability are scant, CERT-Bund said that the flaw stems from an improper restriction of operations within the bounds of a memory buffer. According to NIST, the bug ranks 9.8 out of 10 on the CVSS 3.0 scale, making it critical severity. Despite the level of severity, no patch is currently available for the vulnerability.

Specifically, VLC media player’s heap-based buffer over-read vulnerability exists in mkv::demux_sys_t::FreeUnused() in the media player’s modules/demux/mkv/demux.cpp function when called from mkv::Open in modules/demux/mkv/mkv.cpp.

It’s only the latest vulnerability in VLC media player. Earlier in June two high-severity bugs were patched in the media playr. The flaws were an out-of-bound write vulnerability and a stack-buffer-overflow bug, and were two of 33 fixes being pushed out to the media player. VideoLAN said that the high number of patches stemmed from a new bug bounty program funded by European Commission, which was launched in hopes of keeping open source projects that EU institutions rely on secure. The program is maintained by the HackerOne bounty program facilitator.

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More

This article was updated on July 24 at 12pm ET to reflect comments from VideoLAN.

Suggested articles


  • Henry Dix on

    Can you remove this false article?? You cited a source that directly refutes your claims. Novice Story Telling. "Sorry, but this bug is not reproducible and does not crash VLC at all."
  • anon on

    Please stop posting unsubstantiated claims. Have you contacted the developer of VLC?
    • Lindsey O'Donnell on

      Hello, Yes, as the article states, I did reach out to the developers several times but never heard back.
  • Norman Rasmussen on

    The VLC bug says it's not a bug in VLC, but in a 3rd party library that was not up to date.
  • Sune Keller on

  • Brian on

    All these negative comments lambasting your reporting skills Lindsey! It's not like you were the only site to report on the data that was made available... Yesterday I searched and found at least 10 other sites reporting the same information. Furthermore: "The VLC CVE on the National Vulnerability Database has now been updated, downgrading the severity of the issue from a Base Score of 9.8 (critical) to 5.5 (medium), with the change log also specifying that the “Victim must voluntarily interact with attack mechanism.” "VideoLAN’s public bug tracker now lists the bug report as “fixed” and has closed the thread." In any case, thanks for updating the article!
  • Art MARQUARDT on

    Fix the headline too.
  • w.williams on

    Your story is headlined "Update: VLC Media Player Plagued By Unpatched Critical RCE Flaw." As you well know, this updated headline is misleading, if not outright dishonest. If you can't or won't update it to correct it, it reflects on Threat Post's integrity, not VideoLAN's.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.