UPDATE: VideoLAN claims that VLC Media Player itself isn't actually vulnerable, as the issue only affects an external component, namely the libeblm library.

The libeblm bug was patched over a year ago, VideoLAN says, and all VLC builds provided by VideoLAN beginning with 3.0.3 include the fix. However, the flaw can manifest itself on VLC builds provided by Linux distributions that include older, vulnerable versions of the libeblm library, as is the case with Ubuntu 18.04 LTS.

More information on the bug report was included by VideoLAN in a Twitter thread here.

Original story below:

A critical security flaw in VLC Media Player has recently been discovered by German cybersecurity watchdog CERT-Bund, who warns that a successful attack would allow for remote code execution.

The vulnerability exists in VLC Media Player version 3.0.7.1, according to the official CVE-2019-13615, which is the latest stable release of the application.

“VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp,” the CVE notes.

According to the document, a successful exploit of the vulnerability allows for unauthorized disclosure of information, unauthorized modification of files, and disruption of service.

Patch already in the works for all platforms

Parent company VideoLAN has already started the development of a patch approximately four weeks ago, according to a bug report available here. The fix is already 60 percent complete, as per the work status indicator on this page.

At the time of writing this article, there are no details as to whether the vulnerability has been used in the wild for any attacks. However, now that the security flaw is public, there’s a chance the number of attacks could grow, especially against high-profile victims.

VLC Media Player is one of the best, and at the same time, one of the most popular applications of its kind, being able to play nearly every single multimedia format out there. It is available cross-platform and is offered at absolutely no cost, which makes it a must-have for a substantial number of users, regardless of the operating system or device.

As per WinFuture, the vulnerability exists in several versions of VLC Media Player for desktop platforms, meaning that Windows, Linux, and UNIX clients of the application. At this point, it looks like the macOS sibling isn’t impacted by the bug.