Vlc Media Player Videolan Vlc Media Player

  1. Vendors
  2. Videolan
  3. Vlc Media Player

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Videolan Vlc Media Player.

By the Year

In 2025 there have been 0 vulnerabilities in Videolan Vlc Media Player. Last year, in 2024 Vlc Media Player had 1 security vulnerability published. Right now, Vlc Media Player is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 1 7.80
2023 2 8.65
2022 1 7.80
2021 5 7.32
2020 2 7.80
2019 17 7.51
2018 3 8.63

It may take a day or so for new Vlc Media Player vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Videolan Vlc Media Player Security Vulnerabilities

VLC Media Player: Out-of-Bounds Write in impeg2d_mc_fullx_fully Function
CVE-2018-9341 7.8 - High - November 19, 2024

In impeg2d_mc_fullx_fully of impeg2d_mc.c there is a possible out of bound write due to missing bounds check. This could lead to remote arbitrary code execution with no additional execution privileges needed. User interaction is needed for exploitation.

Memory Corruption

Videolan VLC prior to version 3.0.20 contains an incorrect offset read
CVE-2023-47359 9.8 - Critical - November 07, 2023

Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption.

Memory Corruption

Videolan VLC prior to version 3.0.20 contains an Integer underflow
CVE-2023-47360 7.5 - High - November 07, 2023

Videolan VLC prior to version 3.0.20 contains an Integer underflow that leads to an incorrect packet length.

Integer underflow

An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4
CVE-2022-41325 7.8 - High - December 06, 2022

An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions.

Integer Overflow or Wraparound

A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11
CVE-2021-25801 7.1 - High - July 26, 2021

A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

Out-of-bounds Read

A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11
CVE-2021-25802 7.1 - High - July 26, 2021

A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

Out-of-bounds Read

A buffer overflow vulnerability in the vlc_input_attachment_New component of VideoLAN VLC Media Player 3.0.11
CVE-2021-25803 7.1 - High - July 26, 2021

A buffer overflow vulnerability in the vlc_input_attachment_New component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

Integer Overflow or Wraparound

A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11
CVE-2021-25804 7.5 - High - July 26, 2021

A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11 can a denial of service (DOS) in the application.

NULL Pointer Dereference

A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11
CVE-2020-26664 7.8 - High - January 08, 2021

A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file.

Memory Corruption

A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS
CVE-2020-13428 7.8 - High - June 08, 2020

A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.

Memory Corruption

An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9
CVE-2019-19721 7.8 - High - May 15, 2020

An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product.

off-by-five

The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.
CVE-2019-14777 7.8 - High - August 29, 2019

The Control function of demux/mkv/mkv.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

Dangling pointer

A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3.0.7.1
CVE-2019-14970 7.8 - High - August 29, 2019

A vulnerability in mkv::event_thread_t in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer overflow via a crafted .mkv file.

Memory Corruption

The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.
CVE-2019-14778 7.8 - High - August 29, 2019

The mkv::virtual_segment_c::seek method of demux/mkv/virtual_segment.cpp in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

Dangling pointer

A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1
CVE-2019-14776 7.8 - High - August 29, 2019

A heap-based buffer over-read exists in DemuxInit() in demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 via a crafted .mkv file.

Out-of-bounds Read

In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer dereference at the function SeekPercent of demux/asf/asf.c
CVE-2019-14534 5.5 - Medium - August 29, 2019

In VideoLAN VLC media player 3.0.7.1, there is a NULL pointer dereference at the function SeekPercent of demux/asf/asf.c that will lead to a denial of service attack.

NULL Pointer Dereference

The Control function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 has a use-after-free.
CVE-2019-14533 7.8 - High - August 29, 2019

The Control function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1 has a use-after-free.

Dangling pointer

A divide-by-zero error exists in the SeekIndex function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1
CVE-2019-14535 7.8 - High - August 29, 2019

A divide-by-zero error exists in the SeekIndex function of demux/asf/asf.c in VideoLAN VLC media player 3.0.7.1. As a result, an FPE can be triggered via a crafted WMV file.

Divide By Zero

A divide-by-zero error exists in the Control function of demux/caf.c in VideoLAN VLC media player 3.0.7.1
CVE-2019-14498 7.8 - High - August 29, 2019

A divide-by-zero error exists in the Control function of demux/caf.c in VideoLAN VLC media player 3.0.7.1. As a result, an FPE can be triggered via a crafted CAF file.

Divide By Zero

A heap-based buffer over-read in xiph_PackHeaders() in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1
CVE-2019-14438 7.8 - High - August 29, 2019

A heap-based buffer over-read in xiph_PackHeaders() in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 allows remote attackers to trigger a heap-based buffer over-read via a crafted .ogg file.

Out-of-bounds Read

The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 does not check array bounds properly
CVE-2019-14437 7.8 - High - August 29, 2019

The xiph_SplitHeaders function in modules/demux/xiph.h in VideoLAN VLC media player 3.0.7.1 does not check array bounds properly. As a result, a heap-based buffer over-read can be triggered via a crafted .ogg file.

out-of-bounds array index

An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read.
CVE-2019-5459 7.1 - High - July 30, 2019

An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read.

Integer underflow

Double Free in VLC versions <= 3.0.6 leads to a crash.
CVE-2019-5460 5.5 - Medium - July 30, 2019

Double Free in VLC versions <= 3.0.6 leads to a crash.

Double-free

lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read
CVE-2019-13962 9.8 - Critical - July 18, 2019

lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.

Out-of-bounds Read

libebml before 1.3.6
CVE-2019-13615 5.5 - Medium - July 16, 2019

libebml before 1.3.6, as used in the MKV module in VideoLAN VLC Media Player binaries before 3.0.3, has a heap-based buffer over-read in EbmlElement::FindNextElement.

Out-of-bounds Read

An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1
CVE-2019-13602 7.8 - High - July 14, 2019

An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and crash) or possibly have unspecified other impact via a crafted .mp4 file.

Memory Corruption

An issue was discovered in zlib_decompress_extra in modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through 3.0.7
CVE-2019-12874 9.8 - Critical - June 18, 2019

An issue was discovered in zlib_decompress_extra in modules/demux/mkv/util.cpp in VideoLAN VLC media player 3.x through 3.0.7. The Matroska demuxer, while parsing a malformed MKV file type, has a double free.

Double-free

A Buffer Overflow in VLC Media Player < 3.0.7 causes a crash
CVE-2019-5439 6.5 - Medium - June 13, 2019

A Buffer Overflow in VLC Media Player < 3.0.7 causes a crash which can possibly be further developed into a remote code execution exploit.

Buffer Overflow

The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player 3.0.4 may read memory from an uninitialized pointer when processing magic cookies in CAF files, because a ReadKukiChunk() cast converts a return value to an unsigned int even if
CVE-2018-19857 9.1 - Critical - December 05, 2018

The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player 3.0.4 may read memory from an uninitialized pointer when processing magic cookies in CAF files, because a ReadKukiChunk() cast converts a return value to an unsigned int even if that value is negative. This could result in a denial of service and/or a potential infoleak.

Access of Uninitialized Pointer

VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code
CVE-2018-11529 8 - High - July 11, 2018

VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

Dangling pointer

The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1
CVE-2018-11516 8.8 - High - May 28, 2018

The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file.

Dangling pointer

The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5
CVE-2014-9598 - January 21, 2015

The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file.

Improper Input Validation

The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5
CVE-2014-9597 - January 21, 2015

The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (DEP violation and application crash) via a crafted FLV file.

Improper Input Validation

plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player 2.0.7, and possibly other versions
CVE-2013-3245 - July 10, 2013

plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player 2.0.7, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MKV file, possibly involving an integer overflow and out-of-bounds read or heap-based buffer overflow, or an uncaught exception. NOTE: the vendor disputes the severity and claimed vulnerability type of this issue, stating "This PoC crashes VLC, indeed, but does nothing more... this is not an integer overflow error, but an uncaught exception and I doubt that it is exploitable. This uncaught exception makes VLC abort, not execute random code, on my Linux 64bits machine." A PoC posted by the original researcher shows signs of an attacker-controlled out-of-bounds read, but the affected instruction does not involve a register that directly influences control flow

Buffer Overflow

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Videolan Vlc Media Player or by Videolan? Click the Watch button to subscribe.

Videolan
Vendor

Videolan Vlc Media Player
Product

subscribe