VideoLAN, a project and a non-profit organization.

Security Bulletin VLC 3.0.19

Summary           : Two vulnerabilities fixed in VLC media player
Date              : November 2023
Affected versions : VLC media player 3.0.18 and earlier
ID                : VideoLAN-SB-VLC-3019


Fix potential arbitrary code execution with system priviledges on uninstallation on Windows (!4292, CVE-2023-46814)


If successful, a malicious third party could trigger an execution of an arbitrary binary on uninstallation of VLC with system priviledges.

We have not seen exploits performing code execution through this vulnerability.

Threat mitigation

Exploitation of this issue requires the user to explicitly uninstall VLC using the provided uninstaller.


Keep VLC installed until updated to version 3.0.19 or later.


VLC media player 3.0.19 addresses the issue.


The NSIS uninstaller vulnerability was reported by the Lockheed Martin Red Team (!4292, CVE-2023-46814).

Additional notes

VLC 3.0.19 also bumps some dependencies, notably zlib and vpx, following the publication of CVE-2022-37434 and CVE-2023-5217.


The VideoLAN project
VLC official GIT repository