Researchers find vulnerability in VLC that enables remote code execution – update

Spread the love

Researchers have discovered a vulnerability in media player VLC that allows remote code execution. According to the discoverers, it is a buffer overflow leak. VLC is now working on a patch, but it is not yet available.

The researchers of the German security watchdog CERT-Bund discovered the leak and have given it the code CVE-2019-13615. The vulnerability is in the latest stable version of the VLC Media Player, version 3.0.7.1, and below. The vulnerability allows remote code execution to be performed on a victim’s system. It would also be possible to steal information from a system or modify files, for example by encrypting them. According to the researchers, this is a heap-based buffer overflow and occurs in all versions of VLC.

VideoLAN, the company behind the media player, started a patch a month ago. That would be about sixty percent ready, according to the company’s bug tracker. It is not known whether the vulnerability has been actively exploited.

Update 25-07: VideoLAN has responded to the message, saying that the vulnerability was in outdated third-party libraries. We have written a follow-up message.

You might also like