Remote code execution vulnerability in VLC remains unpatched

Updated: The bug was believed to be in VLC’s latest release.
Written by Charlie Osborne, Contributing Writer

Update 12.37 BST: VideoLAN pointed ZDNet towards a Twitter feed in response, saying that "there is no security issue in [the] last version of VLC," and instead, a mistake from MITRE and CERT_BUND is at fault. 

A serious vulnerability has been uncovered in the latest release of the VLC media player and no patch is available.

Non-profit VideoLAN's VLC player is popular software used to both play and convert a variety of audio and visual files. Available for Windows, Linux, Mac OS X, Unix, iOS, and Android systems, the open-source media player has now become the focus of a recent security advisory released by the German Computer Emergency Response Team (CERT-Bund). 

In the advisory, CERT-Bund warns that VLC media player version, the latest build available, contains a vulnerability which has been awarded a CVSS score of 9.8 out of 10. 

See also: Google cleans out stalker, spyware apps from Play Store

The heap-based buffer over-read bug, found in VLC's mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp protocol when called from mkv::Open in modules/demux/mkv/mkv.cpp, is potentially as severe as it gets. 

"A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files," as noted by ESET

The vulnerability is known to exist in the latest version of VLC on Windows, Linux, and Unix machines, but it is possible the bug is also present in past builds. 

CNET: Fake Facebook accounts are already reportedly offering Libra cryptocurrency

Tracked as CVE-2019-13615, the security flaw does not require privilege escalation or user interaction to exploit. 

German publication Heise Online reports that a crafted .MP4 file may be required to trigger the exploit, but this has not been confirmed by researchers or CERT-Bund at the time of writing. 

VLC is rapidly working on a fix. According to the non-profit's bug tracker, the vulnerability has been issued the "highest" priority for a patch and the tracker appears to suggest a fix is 60 percent complete, according to a developer who posted an update two days ago. 

TechRepublic: 40% of enterprises experienced Office 365 credential theft, report finds

While there is no concrete date for a patch release, in better news, there are no known cases of the vulnerability being exploited in the wild. 

North Korea's history of bold cyber attacks

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards