Security Bulletin VLC 3.0.22

Summary           : Multiple vulnerabilities fixed in VLC media player
Date              : December 2025
Affected versions : VLC media player 3.0.21 and earlier
ID                : VideoLAN-SB-VLC-3022
CVE references    : CVE-2025-51602

Details

A denial of service could be triggered with maliciously crafted files or streams.

Impact

If successful, a malicious third party could trigger a crash of VLC (Denial of service).

While these issues in themselves are most likely to just crash the application, we can't exclude that they could be combined to leak user information or remotely execute code. ASLR and DEP help reduce the likeliness of code execution, but may be bypassed.

We have not seen exploits performing code execution through these vulnerabilies.

Threat mitigation

Exploitation of this issue requires the user to explicitly open a maliciously crafted file or stream.

Workarounds

The user should refrain from opening files or streams from untrusted sources (and disable the VLC browser plugins), until the patch is applied.

Solution

VLC media player 3.0.22 addresses these issues.

Credits

• MMS out of bounds read reported by Dr. Ahmed Lekssays of the Qatar Computing Research Institute. (#29146, CVE-2025-51602)
• OggSpots out of bounds read reported by Stanislav Fort Aisle Research. (#29319)
• CEA-708 captions out of bounds write reported by Stanislav Fort Aisle Research. (#29328, #29375, #29326, #29323)
• ty out of bounds read found by OSS-Fuzz (#29316)
• CVD subtitltes out of bounds read found by OSS-Fuzz (#29325, #29286)
• Ogg demuxer out of bounds read found by OSS-Fuzz (#29314)
• WebVTT demuxer unbound recursion and out of bounds read found by OSS-Fuzz (#29392, #29233)
• NSV demuxer out of bounds read found by OSS-Fuzz (#29300)
• SRT subtitles out of bounds read found by OSS-Fuzz (#29235)
• ASF invalid free() found by OSS-Fuzz (#29058)
• MP4 demuxer out of bounds read/write issues found by Ruhr University Bochum (#28959, #28972)
• SPU decoder out of bounds read found by Ruhr University Bochum (#28960)
• MJPEG demuxer out of bounds read found by OSS-Fuzz (#29009)
• SVCD subtitle decoder out of bounds write found by Ruhr University Bochum (#28961)
• tx3g subtitle decoder out of bounds write found by Ruhr University Bochum (#28965
• Audio output stack buffer overflow found by Ruhr University Bochum (#28968)

References

The VideoLAN project

https://www.videolan.org/

VLC official Git repository

https://code.videolan.org/videolan/vlc.git