Update: VLC Media Player Plagued By Unpatched Critical RCE Flaw

VLC bug bounty vulnerability

A patch does not yet exist for a critical buffer overflow vulnerability in VLC Media Player that could enable remote code execution.


After a German security agency reported a critical vulnerability existed in VLC open-source media player that could enable remote code execution and other malicious actions, the developers of VLC said that the media player is not vulnerable.

The VLC media player, developed by the VideoLAN project, is used by more than 3.1 billion users. The vulnerability (CVE-2019-13615) exists in the Windows, Linux and UNIX versions of VLC (the latest version of the media player) according to the National Vulnerability Database. There is no patch to patch the vulnerability, though no exploitation of the vulnerability has been observed yet, according to German security agency CERT-Bund.

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” according to a release by CERT-Bund posted over the weekend.

VideoLAN did not respond to a request for comment from Threatpost.

However, in a Tweet, VLC said “the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.”

While details of the vulnerability are scant, CERT-Bund said that the flaw stems from an improper restriction of operations within the bounds of a memory buffer. According to NIST, the bug ranks 9.8 out of 10 on the CVSS 3.0 scale, making it critical severity. Despite the level of severity, no patch is currently available for the vulnerability.

Specifically, VLC media player’s heap-based buffer over-read vulnerability exists in mkv::demux_sys_t::FreeUnused() in the media player’s modules/demux/mkv/demux.cpp function when called from mkv::Open in modules/demux/mkv/mkv.cpp.

It’s only the latest vulnerability in VLC media player. Earlier in June two high-severity bugs were patched in the media playr. The flaws were an out-of-bound write vulnerability and a stack-buffer-overflow bug, and were two of 33 fixes being pushed out to the media player. VideoLAN said that the high number of patches stemmed from a new bug bounty program funded by European Commission, which was launched in hopes of keeping open source projects that EU institutions rely on secure. The program is maintained by the HackerOne bounty program facilitator.

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More

This article was updated on July 24 at 12pm ET to reflect comments from VideoLAN.

Suggested articles