VLC Media Player Vulnerability

Walden Systems Geeks Corner News VLC Media Player Vulnerability Rutherford NJ New Jersey NYC New York City North Bergen County
CielView-Server minimizes redundancy in computing resources while allowing users remote desktop access to virtualized user Desktops. CielView-Desktop provides customized solutions to each user in an organization

Two vulnerabilities in VLC media player could allow hackers to the control of a PC via .MKV video file. The flaws were made public by VideoLAN, the developer of the open-source VLC media player. VideoLAN released patches to fix the issues. 15 VLC bugs were made public. Eleven of the flaws were found by Antonio Morales, a researcher at the Semmle Security Team, which also posted < a target="_blank" href="https://blog.semmle.com/vlc-vulnerability-heap-overflow/">a technical breakdown of the bugs.

The most problematic flaw is a buffer overflow bug, CVE-2019-14970, in the MKV demuxer. This is responsible for multiplexing digital and analog files. This is an out-of-bounds ( OOB) write ( heap overflow) vulnerability that affects the .mkv file format.


A hacker could execute code in VLC execution context. This means that a hacker could execute the same actions that a legitimate user can, but without the consent of the user and without user noticing it. In a number of cases, the hacker could take control of the computer. The user only needs to open the file to trigger the vulnerability.

The flaws affects VLC version 3.0.7.1. The current updated 3.0.8 version fixes those bugs. According to VideoLAN, the updates have not been pushed out to users yet but users can manually update their client by directly downloading the most recent version.