Last Updated:

Critical RCE bug found in VLC Media Player

Specialists of the German CERT-Bund discovered a dangerous vulnerability in a popular media player that allows remote execution of arbitrary code. The fix is ​​already in development, but not yet ready.

It is reported that the problem poses a threat to the newest version of VLC Media Player 3.0.7.1 (for Windows, Linux and UNIX) and received the identifier  CVE-2019-13615 .

The vulnerability is of type buffer overread, and the bug root lies in the mkv :: demux_sys_t :: FreeUnused () function in modules / demux / mkv / demux.cpp triggered during a call from mkv :: Open in modules / demux / mkv / mkv .cpp.

Exploiting a vulnerability can lead not only to the execution of arbitrary code, but also to unauthorized disclosure of information, file changes and denial of service.

According to the bug report , the VideoLAN developers have been working on creating a patch for this problem for almost a month, but the fix is ​​not ready yet. Judging by the status indicator, at present the patch is only 60% ready.

At the moment, developers and researchers do not have information that attackers already exploit this vulnerability. But, unfortunately, now, after the publication of data about the bug, the situation can quickly change for the worse.