VLC media player has two high-risk security flaws in 3.0.6 and earlier software versions that allow hackers to load specially processed video files on the vulnerable system to run arbitrary code.
For those who do not know, the VLC media player is one of the best and most popular media players with over 3 billion downloads.
It is a free and open source platform that can be used in Windows, MacOS, Linux, as well as on mobile platforms Android and iOS. Whatever the format, VLC Media Player can play virtually any kind of audio and video you want.
The vulnerability is called CVE-2019-12874 and is in "zlib_decompress_extra () (demux / mkv / utils.cpp)" of the VideoLAN VLC Player. It can be enabled when detecting a defective mkv file type in the Matroska demuxer.
A second high-risk flaw called CVE-2019-5439 was also identified and, in essence, constitutes a buffer overflow vulnerability found in ReadFrame (demux / avi / avi.c).
It allows a remote user to create some specially configured avi or mkv files which, when loaded by the target user, will trigger a buffer overflow.
Successful execution of an infected file in the system could cause either a VLC crash or an arbitrary execution code with the privileges of the target user.
VLC users are strongly recommended to upgrade the media player software to the VLC 3.0.7 version or to newer ones to prevent hackers to exploit this vulnerability in their systems.