VideoLAN, a project and a non-profit organization.

Security Advisory 1107

Summary           : NULL dereference vulnerability in HTTP and RSTP server
Date              : 06 October 2011
Affected versions : VLC media player 1.1.11 and ealier
ID                : VideoLAN-SA-1107
CVE references    : CVE-2011-3333


VLC media player suffers from a NULL dereference vulnerability in the HTTP and RTSP server component.


If successful, a malicious third party could crash the server process. Arbitrary code execution within the context of VLC media player is not believed possible.

Threat mitigation

Exploitation of those bugs requires the user to explicitly start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions.


Where possible, limit access to the VLC server to trusted IP addresses.

Alternatively, configure a deep inspection firewall to block malformed HTTP and RTSP requests.


VLC media player 1.1.12 addresses this issue. A source code patch is also available as an alternative.


This vulnerability was discovered by Jouni Knuutinen from Codenomicon Oy and coordinated by Antti Kiuru from the CERT-FI security unit at the Finnish Communications Regulatory Authority (FICORA).


The VideoLAN Project
Source code patch
git commit a03617089bc045e343f94921f257cf71436f4812
Codenomicon Oy


10 October 2011
CVE ID assigned
06 Octobery 2011
VLC 1.1.12 released
Initial advisory
26 September 2011
Issue resolved privately
Bug reported
Rémi Denis-Courmont,
on behalf of the VideoLAN project