Critical RCE bug found in VLC Media Player

Specialists of the German CERT-Bund discovered a dangerous vulnerability in a popular media player that allows remote execution of arbitrary code. The fix is ​​already in development, but not yet ready.

The vulnerability is of type buffer overread, and the bug root lies in the mkv :: demux_sys_t :: FreeUnused () function in modules / demux / mkv / demux.cpp triggered during a call from mkv :: Open in modules / demux / mkv / mkv .cpp.

Exploiting a vulnerability can lead not only to the execution of arbitrary code, but also to unauthorized disclosure of information, file changes and denial of service.

At the moment, developers and researchers do not have information that attackers already exploit this vulnerability. But, unfortunately, now, after the publication of data about the bug, the situation can quickly change for the worse.