large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

VideoLAN denies VLC Media Player has a major security flaw

Update: VideoLAN has denied its VLC media player has the reported security issue. VideoLAN tweeted: “VLC is not vulnerable … the issue is in a 3rd party library, called libeml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped”.

VideoLAN president and lead developer of the VLC media player Jean-Baptiste Kempf provided this comment to Trusted Reviews: “The issue is in a different library, and the issue was fixed more than 14months ago. All binaries version of VLC distributed by VideoLAN since 3.0.3 are safe for this issue”.

Original article follows

The popular VLC media player has a critical security flaw and its not yet been patched. A fix is currently being worked on by VLC’s parent company VideoLAN. A security advisory alert was issued for the vulnerability by German cybersecurity agency CERT-Bund.

The latest version of VLC media player (3.0.7.1) currently includes a security flaw which could allow a remote hacker to execute code, cause a denial-of-service condition, exfiltrate information and manipulate files on a users’ machine.

Related: Best free antivirus

According to ESET, the memory-corruption flaw may also be present in earlier version of the VLC media player. The problem affects Windows, Linux and Unix users of the program – MacOS users have dodged the issue.

The bug does not require interaction by the user or the escalation of privileges to be exploited – making it particularly dangerous. Thankfully, there are yet to be any reported cases of the security vulnerability being exploited. 

In the absence of a patch, the only way to avoid the problem at the moment is to avoid using the VLC media player. 

The security vulnerability is being viewed extremely seriously. The NIST National Vulnerability Database (NVD) has declared the flaw is critical and is ranked a 9.8 out of 10 on the Common Vulnerability Scoring (CVSS) scale. 

Related: Best VPNs

The NVD is a US government vulnerability database while the CVSS is a standard used for providing a numerical indication of bug severity.

VideoLan is yet to reveal a date for when a patch will be implemented. However, the issue is listed on the company’s bug tracker as a critical priority – with the listing being opened four weeks ago and at 60% completion.

A German publication named Heise Online has reported a specific .mp4 files may be required for the exploit to occur. However, security researchers or original discoverers of the bug CERT-Bund have not confirmed this to be the case.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.