Security
Security contacts
Email: security@REMOVE@videolan.org.
Please note that signed emails are welcome, and responsible disclosure is very much appreciated.
VLC releases Security Bulletins (SB)
Those bulletins are related to each VLC release and can be made of multiple security issues, internal and external.
2024
- VideoLAN-SB-VLC-321
- Vulnerability fixed in VLC media player 3.0.21 Details
- VideoLAN-SB-VLC-iOS-359
- Vulnerability fixed in VLC-iOS 3.5.9 Details
2023
- VideoLAN-SB-VLC-320
- Vulnerability fixed in VLC media player 3.0.20 Details
- VideoLAN-SB-VLC-319
- Vulnerability fixed in VLC media player 3.0.19 Details
2022
- VideoLAN-SB-VLC-318
- Multiple vulnerabilities fixed in VLC media player 3.0.18 Details
2021
- VideoLAN-SB-VLC-313
- Multiple vulnerabilities fixed in VLC media player 3.0.13 Details
2020
- VideoLAN-SB-VLC-312
- Multiple vulnerabilities fixed in VLC media player 3.0.12 Details
- VideoLAN-SB-VLC-311
- Multiple vulnerabilities fixed in VLC media player 3.0.11 Details
- VideoLAN-SB-VLC-309
- Multiple vulnerabilities fixed in VLC media player 3.0.9/3.0.10 Details
2019
- VideoLAN-SB-VLC-308
- Multiple vulnerabilities fixed in VLC media player 3.0.8 Details
VideoLAN security advisories
Please note: The VideoLAN project does not issue security advisories for underlying third party libraries. Please refer to the concerned third parties as appropriate.
2019
- VideoLAN-SA-1901
- Buffer overflow in avi demuxer & heap use after free in mkv demuxer Details
2018
- VideoLAN-SA-1801
- Heap use after free in avformat demuxer Details
2016
- VideoLAN-SA-1601
- Buffer Overflow in Processing QuickTime IMA Files Details
2015
- VideoLAN-SA-1501
- Multiple heap and buffer overflows Details
2013
- VideoLAN-SA-1302 (CVE-2013-1954)
- Overflow in ASF Demuxer Details
- VideoLAN-SA-1301
- Overflow in subtitles decoder Details
2012
- VideoLAN-SA-1203 (CVE-2012-5470)
- Overflow in PNG decoder Details
- VideoLAN-SA-1202 (CVE-2012-1776)
- Heap overflows in Real RTPS protocol Details
- VideoLAN-SA-1201 (CVE-2012-1775)
- Stack overflow in MMS protocol Details
2011
- VideoLAN-SA-1108 (CVE-2012-0023)
- Heap corruption in TiVo demuxer. Details
- VideoLAN-SA-1107 (CVE-2011-3333)
- NULL dereference in HTTP and RTSP server. Details
- VideoLAN-SA-1106 (CVE-2011-2588)
- Heap buffer overflow in AVI demuxer. Details
- VideoLAN-SA-1105 (CVE-2011-2587)
- Heap buffer overflow in RealMedia demuxer. Details
- VideoLAN-SA-1104 (CVE-2011-2194)
- Integer overflow in XSPF demuxer. Details
- VideoLAN-SA-1103 (CVE-2011-1684)
- Heap corruption in MP4 demuxer. Details
- VideoLAN-SA-1102 (CVE-2011-0531)
- Insufficient input validation in MKV demuxer. Details
- VideoLAN-SA-1101 (CVE-2011-0021)
- Heap corruption in CDG codec. Details
2010
- VideoLAN-SA-1007 (CVE-2010-3907)
- Buffer overflow in Real Media demuxer. Details
- VideoLAN-SA-1006
- Stack smashing in SMB/CIFS access. Details
- VideoLAN-SA-1005 (CVE-2010-3124)
- DLL preloading vulnerability. Details
- VideoLAN-SA-1004 (CVE-2010-2937)
- Insufficient input validation VLC TagLib plugin. Details
- VideoLAN-SA-1003 (CVE-2010-1441..5)
- Multiple vulnerabilities in VLC. Details
- VideoLAN-SA-1002
- Buffer overflow in ancient VLC media player Details
- VideoLAN-SA-1001
- Clam AntiVirus input validation error Details
2009
- VideoLAN-SA-0901
- Stack overflows in VLC demuxers. Details
2008
- VideoLAN-SA-0811 (CVE-2008-5276)
- Buffer overflows in VLC Real demuxers. Details
- VideoLAN-SA-0810 (CVE-2008-5032, CVE-2008-5036)
- Multiple overflows in VLC demuxers. Details
- VideoLAN-SA-0809 (CVE-2008-4654, CVE-2008-4686)
- Buffer overflow in VLC TiVo demuxer. Details
- VideoLAN-SA-0807 (CVE-2008-3732, CVE-2008-3794)
- Multiple overflows in VLC demuxers. Details
- VideoLAN-SA-0806 (CVE-2008-2430)
- Arbitrary code execution through potential heap-overflows in VLC's WAV demuxer. Details
- VideoLAN-SA-0805 (CVE-2008-2147)
- Arbitrary code execution through rogue VLC plugins in the current directory. Details
- VideoLAN-SA-0804 (CVE-2007-6683)
- Arbitrary file overwrite and other abuses through M3U parser and browsers plugins. Details
- VideoLAN-SA-0803 (CVE-2008-0073, CVE-2008-1489, CVE-2008-1768, CVE-2008-1769)
- Arbitrary memory overwrite vulnerabilities in multiple modules: Real RTSP demuxer, Real Media demuxer, MP4 demuxer, Cinepak decoder. Details
- VideoLAN-SA-0802, CORE-2008-0130 (CVE-2008-0984)
- Arbitrary memory overwrite vulnerability in the MP4 demuxer. Details
- VideoLAN-SA-0801 (CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296)
- Format string vulnerability in the Web interface. Stack-based buffer overflow in the Subtitles demuxer. String buffer overflows in the Real RTSP demuxer. Details
2007
- VideoLAN-SA-0703, CORE-2007-1004 (CVE-2007-6262)
- Recursive plugin release vulnerability in the Active X plugin. Details
- VideoLAN-SA-0702 (CVE-2007-3316)
- Format string injection in Vorbis, Theora, SAP and CDDA plugins. Details
- VideoLAN-SA-0701, MOAB-02-01-2007 (CVE-2007-0017)
- URL format string injection in CDDA and VCDX plugins. Details
Legal
| Report Trademark Abuse
VideoLAN, VLC, VLC media player and x264 are trademarks internationally registered by the VideoLAN non-profit organization.
VideoLAN software is licensed under various open-source licenses: use and distribution are defined by each software license.
Design by Made By Argon. Some icons are licensed under the CC BY-SA 3.0+.
The VLC cone icon was designed by Richard Ă˜iestad. Icons for VLMC, DVBlast and x264 designed by Roman Khramov.