VideoLAN, a project and a non-profit organization.

Security Advisory 1901

Summary           : Read buffer overflow & double free
Date              : June 2019
Affected versions : VLC media player 3.0.6 and earlier
ID                : VideoLAN-SA-1901
CVE reference     : CVE-2019-5439, CVE-2019-12874


A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively


If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

Threat mitigation

Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.


The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.


VLC media player 3.0.7 addresses the issues. This release also fixes an important security issue that could lead to code execution when playing an AAC file.


The MKV double free vulnerability was reported by Symeon Paraschoudis from Pen Test Partners


The VideoLAN project
VLC official GIT repository