Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CERT-Bund warns of a critical vulnerability in VLC player

VLC player is still affected by a critical heap-based memory buffer over-read condition, tracked as CVE-2019-13615, that could be exploited by a remote attacker to execute arbitrary code. The VLC player is still affected by a critical remote code execution vulnerability tracked as CVE-2019-13615. The potential impact of the flaw is important because the software […]

VLC player flaw

VLC player is still affected by a critical heap-based memory buffer over-read condition, tracked as CVE-2019-13615, that could be exploited by a remote attacker to execute arbitrary code.

The VLC player is still affected by a critical remote code execution vulnerability tracked as CVE-2019-13615.

The potential impact of the flaw is important because the software has more than 3.1 billion installs across various operating systems and versions.

VLC player flaw

Germany’s national Computer Emergency Response Team (CERT-Bund) has also published a security advisory to warn of the flaw in the VLC media player.

“VLC Media Player is a program for playing multimedia files and network streams.” reads the security advisory

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”

The vulnerability affects the latest release of the VLC player for Windows, Linux and UNIX, version 3.0.7.1, and likely earlier versions. The Germany’s national Computer Emergency Response Team (CERT-Bund) classified the flaw as a critical heap-based memory buffer over-read condition and assigned to it a score of 4 out of 5 on its severity scale.

The NIST National Vulnerability Database (NVD) rated the vulnerability as ‘critical’ severity and assigned it a CVSS score of 9.8 out of 10.

Both CERT-Bund and NVD pointed out that its exploitation doesn’t require system privileges or any user interaction, even if some experts believe that an attacker could exploit the flaw using a specially crafted mp4 file.

“As readers have correctly noticed in the heise security forum, the bugtracker entry (possibly as a proof of concept) depends on a .mp4 file.” reported the Heuse.de website. “This suggests that to exploit the vulnerability a prepared video file must be played. However, this is explicitly mentioned or confirmed neither in the CERT Bund report nor in the NVD entry. ovw ).”

According to the bugtracker used by the development team behind VLC, VideoLAN is already working on a security patch to address the flaw.

The good news is that at the time of writing, we are not aware of attacks in the wild exploiting the vulnerability.

In June, experts found two vulnerabilities in VLC media player that could allow remote attackers to take full control over a computer system while playing untrusted videos.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – VLC player, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]