VideoLAN, a project and a non-profit organization.

Security

Security contacts

Email: security@REMOVE@videolan.org.

Please note that signed emails are welcome, and responsible disclosure is very much appreciated.

VLC releases Security Bulletins (SB)

Those bulletins are related to each VLC release and can be made of multiple security issues, internal and external.

2020

VideoLAN-SB-VLC-309
Multiple vulnerabilities fixed in VLC media player 3.0.9/3.0.10 Details

2019

VideoLAN-SB-VLC-308
Multiple vulnerabilities fixed in VLC media player 3.0.8 Details

VideoLAN security advisories

Please note: The VideoLAN project does not issue security advisories for underlying third party libraries. Please refer to the concerned third parties as appropriate.

2019

VideoLAN-SA-1901
Buffer overflow in avi demuxer & heap use after free in mkv demuxer Details

2018

VideoLAN-SA-1801
Heap use after free in avformat demuxer Details

2016

VideoLAN-SA-1601
Buffer Overflow in Processing QuickTime IMA Files Details

2015

VideoLAN-SA-1501
Multiple heap and buffer overflows Details

2013

VideoLAN-SA-1302 (CVE-2013-1954)
Overflow in ASF Demuxer Details
VideoLAN-SA-1301
Overflow in subtitles decoder Details

2012

VideoLAN-SA-1203 (CVE-2012-5470)
Overflow in PNG decoder Details
VideoLAN-SA-1202 (CVE-2012-1776)
Heap overflows in Real RTPS protocol Details
VideoLAN-SA-1201 (CVE-2012-1775)
Stack overflow in MMS protocol Details

2011

VideoLAN-SA-1108 (CVE-2012-0023)
Heap corruption in TiVo demuxer. Details
VideoLAN-SA-1107 (CVE-2011-3333)
NULL dereference in HTTP and RTSP server. Details
VideoLAN-SA-1106 (CVE-2011-2588)
Heap buffer overflow in AVI demuxer. Details
VideoLAN-SA-1105 (CVE-2011-2587)
Heap buffer overflow in RealMedia demuxer. Details
VideoLAN-SA-1104 (CVE-2011-2194)
Integer overflow in XSPF demuxer. Details
VideoLAN-SA-1103 (CVE-2011-1684)
Heap corruption in MP4 demuxer. Details
VideoLAN-SA-1102 (CVE-2011-0531)
Insufficient input validation in MKV demuxer. Details
VideoLAN-SA-1101 (CVE-2011-0021)
Heap corruption in CDG codec. Details

2010

VideoLAN-SA-1007 (CVE-2010-3907)
Buffer overflow in Real Media demuxer. Details
VideoLAN-SA-1006
Stack smashing in SMB/CIFS access. Details
VideoLAN-SA-1005 (CVE-2010-3124)
DLL preloading vulnerability. Details
VideoLAN-SA-1004 (CVE-2010-2937)
Insufficient input validation VLC TagLib plugin. Details
VideoLAN-SA-1003 (CVE-2010-1441..5)
Multiple vulnerabilities in VLC. Details
VideoLAN-SA-1002
Buffer overflow in ancient VLC media player Details
VideoLAN-SA-1001
Clam AntiVirus input validation error Details

2009

VideoLAN-SA-0901
Stack overflows in VLC demuxers. Details

2008

VideoLAN-SA-0811 (CVE-2008-5276)
Buffer overflows in VLC Real demuxers. Details
VideoLAN-SA-0810 (CVE-2008-5032, CVE-2008-5036)
Multiple overflows in VLC demuxers. Details
VideoLAN-SA-0809 (CVE-2008-4654, CVE-2008-4686)
Buffer overflow in VLC TiVo demuxer. Details
VideoLAN-SA-0807 (CVE-2008-3732, CVE-2008-3794)
Multiple overflows in VLC demuxers. Details
VideoLAN-SA-0806 (CVE-2008-2430)
Arbitrary code execution through potential heap-overflows in VLC's WAV demuxer. Details
VideoLAN-SA-0805 (CVE-2008-2147)
Arbitrary code execution through rogue VLC plugins in the current directory. Details
VideoLAN-SA-0804 (CVE-2007-6683)
Arbitrary file overwrite and other abuses through M3U parser and browsers plugins. Details
VideoLAN-SA-0803 (CVE-2008-0073, CVE-2008-1489, CVE-2008-1768, CVE-2008-1769)
Arbitrary memory overwrite vulnerabilities in multiple modules: Real RTSP demuxer, Real Media demuxer, MP4 demuxer, Cinepak decoder. Details
VideoLAN-SA-0802, CORE-2008-0130 (CVE-2008-0984)
Arbitrary memory overwrite vulnerability in the MP4 demuxer. Details
VideoLAN-SA-0801 (CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296)
Format string vulnerability in the Web interface. Stack-based buffer overflow in the Subtitles demuxer. String buffer overflows in the Real RTSP demuxer. Details

2007

VideoLAN-SA-0703, CORE-2007-1004 (CVE-2007-6262)
Recursive plugin release vulnerability in the Active X plugin. Details
VideoLAN-SA-0702 (CVE-2007-3316)
Format string injection in Vorbis, Theora, SAP and CDDA plugins. Details
VideoLAN-SA-0701, MOAB-02-01-2007 (CVE-2007-0017)
URL format string injection in CDDA and VCDX plugins. Details