Summary : Two vulnerabilities fixed in VLC media player Date : November 2023 Affected versions : VLC media player 3.0.18 and earlier ID : VideoLAN-SB-VLC-3019
Fix potential arbitrary code execution with system priviledges on uninstallation on Windows (!4292, CVE-2023-46814)
If successful, a malicious third party could trigger an execution of an arbitrary binary on uninstallation of VLC with system priviledges.
We have not seen exploits performing code execution through this vulnerability.
Exploitation of this issue requires the user to explicitly uninstall VLC using the provided uninstaller.
Keep VLC installed until updated to version 3.0.19 or later.
VLC media player 3.0.19 addresses the issue.
The NSIS uninstaller vulnerability was reported by the Lockheed Martin Red Team (!4292, CVE-2023-46814).
VLC 3.0.19 also bumps some dependencies, notably zlib and vpx, following the publication of CVE-2022-37434 and CVE-2023-5217.