VLC is reportedly unfortified against remote-code execution which means that if the software opens a malicious video, there could be a possibility of the media player crashing, or of the tricky video running malware on the host machine.
The U.S. government’s National Institute of Standards and Technology (NIST) has registered a “critical” heap-based buffer overflow which is called CVE-2019-13615. The VLC software reportedly utilizes this in its latest official version (18.104.22.168).
The NIST claimed that it is not improbable that a victim might be tricked into opening a booby-trapped video using VLC, which might trigger a coding complication and result in either a non-dangerous crashing of the software or a disagreeable situation involving the execution of some malign code.
This defect was detected in the Linux, Unix, and Windows builds of the VLC media player.
VideoLAN VLC media player 22.214.171.124 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp – NIST
Germany’s CERT has also interpreted this bug as dangerous and exploitable.
However, the developers of the widely popular VLC media player software, which is open-sourced, have disputed this claim, stressing that the possibilities of exploiting the programming blunder are next to zero.
VideoLAN lead developer Jean-Baptiste Kempf, while discussing the defect called ‘CVE-2019-13615’ in a bug-tracking ticket, observed that he was unable to recreate the crash using a proof-of-concept. MP4 video that was supposed to hinder the latest version of VLC. He even reported that he was unable to crash both the older version of the software and the ones that are currently work-in-progress.
Kempf – “This does not crash a normal release of VLC 126.96.36.199. Sorry, but this bug is not reproducible and does not crash VLC at all.”
If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources – Francois Cartegnie, VLC developer
Contradictorily, when the proof-of-concept. MP4 video was played on the VLC version 3.0.7 Vetinari (3.0.7-0-g86cee31099) on Linux, the technology news and opinion website, The Register, observed that the player crashed with a segmentation fault.
This seems to be at odds with Kempf’s statement that the bug in question “does not crash” the system and that “the bug is not reproducible“. It also raises the question of whether remote-code execution is possible or impossible.
There will soon be an update patch available for the VLC software so that users can regularly update it to keep their system safe.