VLC Player Contains Critical Flaw, Remains Unpatched


Popular media player, VLC, released a critical vulnerability alongside its latest release. However, news sites report that the vulnerability remains unpatched.

German Computer Emergency Response Team (CERT-Bund) published a security advisory detailing the susceptibility of the non-profit video player.


According to a report published by ZD Net, the vulnerability warranted a CVSS score of 9.8 out of 10. This garnered a critical score level from NIST’s National Vulnerability Database.

The flaw in the recent VLC update appears on the list as CVE-2019-13615. The bug “does not require privilege escalation or user interaction to exploit,” states ZD Net.

VLC Player Contains Critical Flaw, Remains Unpatched


Systems at Risk

Based on the article released by PC Gamer, the flaw allows hackers to gain access to sensitive computer information. This security concern also gives access for hacking groups to “install, run, and modify anything on it without your knowledge.”

Unauthorized user access also gives ways for file disclosure, allowing hackers to see files with the computer storage. Once hackers exploit the bug, they can also run malicious software and malware within these systems.

The security flaw compromises more than 3.1 billion users around the globe. The statement released by CERT-Bund indicates, “A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code.” The bug can also “create a denial of service state, disclose information, or manipulate files.”

Gizmodo reveals that all Windows, Linux, and Unix versions remain affected by the flaw. The only system spared from the vulnerability is the macOS version. Only the latest version contains the risk, however, the bug may also be present in previous versions.

Based on the findings of Threatpost, the flaw stemmed from “improper restriction of operations within the bounds of memory buffer.”

Immediate Action

VideoLAN Project became aware of the issue, with the company quickly working towards providing a patch for the public. Despite the timely action taken by the organization, Gizmodo reports that the patch currently remains at 60 percent. As of writing, developers have been working on the patch for four weeks.

ZD Net reports that VideoLAN tagged the bug with the highest priority. Despite having no patch for the bug, VideoLAN states that there are no reports of vulnerability exploitation.

Following this, users of the media player use other sources, including Media Player Classic, Plex Media Player, and the KMPlayer.

Earlier in June 2019, VLC Media Player also released two corresponding patches for its earlier vulnerabilities.