German IS-specialists have found a critical RCE-bug in VLC Media Player: there is no patch yet.

Specialists of the German CERT-Bund discovered a dangerous vulnerability in a popular media player that allows remote execution of arbitrary code.

It is reported that the problem poses a threat to the newest version of VLC Media Player 3.0.7.1 (for Windows, Linux and UNIX) and received the identifier CVE-2019-13615.

It has been awarded a CVSS score of 9.8 out of 10.

“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files”, – warn in ESET company.

Vulnerability is of buffer overread type, and the bug root lies in the mkv :: demux_sys_t :: FreeUnused () function in modules / demux / mkv / demux.cpp triggered during a call from mkv :: Open in modules / demux / mkv / mkv .cpp.

Exploiting a vulnerability can lead not only to the execution of arbitrary code, but also to unauthorized disclosure of information, file changes and denial of service.

Read also: Following Chrome, Firefox will mark all HTTP-pages as “unsafe”

According to the bug report, the VideoLAN developers have been working on creating a patch for this problem for almost a month, but the fix is not ready yet. Judging by the status indicator, at present the patch is only 60% ready.