A vulnerability in how video players load and parse subtitle files allows an attacker to execute code on a target's PC and effectively take over the device.

This vulnerability came to light today after security researchers from Israeli cyber-security firm Check Point published partial findings.

Researchers say that an attacker can craft malicious subtitle files that when loaded inside one of the many vulnerable media players, it executes code on the user's device.

In a YouTube video, Check Point researchers demoed the attack and showed how this previously unknown vulnerability grants an attacker full control over the affected computer.

Affected: VLC, Kodi, PopcornTime, and Stremio

According to Check Point security researchers, video players like VLC, Kodi, PopcornTime, and Stremio are vulnerable to this novel attack.

VLC and PopcornTime have already issued updates to address this flaw, while Kodi and Stremio are still working on patching the problem.

Researchers say that other video players that come with subtitles support are most likely vulnerable, but they haven't tested other applications.

Check Point has refrained from releasing proof-of-concept exploit code until other vendors are notified and have the chance to issue patches.

Vulnerability affects hundreds of millions of users

"We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years," the Check Point Research Team says.

The vulnerability's reach is exacerbated by how users get most of their subtitles. Most of these files are hosted on subtitle repositories where anyone can upload a malicious file.

These portals rank subtitles based on popularity algorithms that an attacker can manipulate. By falsely improving the popularity of a malicious subtitle file, attackers can ensure that users download their file more often, or that streaming services such as Strem.io or PopcornTime pull the malicious subtitle before legitimate files.

Users are advised to use one of the updated video players, or not load any subtitles until they're sure they've updated to a safe version of their favorite player.