VYPR
Vendor

VideoLAN

VideoLAN is a non-profit organization which develops software for playing video and other media formats. It originally developed two programs for media streaming, VideoLAN Client (VLC) and VideoLAN Server (VLS), but most of the features of VLS have been incorporated into VLC, with the result renamed VLC media player.

Founded 2009
Products
9
CVEs
133
Across products
148
Status
Private

Products

9

Recent CVEs

133
View all 133 CVEs →
  • CVE-2016-5108CriJun 8, 2016
    risk 0.69cvss 9.8epss 0.25

    Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file.

  • CVE-2025-25467CriFeb 18, 2025
    risk 0.64cvss 9.8epss 0.01

    Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file.

  • CVE-2023-47359CriNov 7, 2023
    risk 0.64cvss 9.8epss 0.01

    Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption.

  • CVE-2017-10699CriJun 30, 2017
    risk 0.64cvss 9.8epss 0.04

    avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution.

  • CVE-2014-6440CriMar 28, 2017
    risk 0.64cvss 9.8epss 0.05

    VideoLAN VLC media player before 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service.

  • CVE-2018-11529HigJul 11, 2018
    risk 0.58cvss 8.0epss 0.41

    VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

  • CVE-2018-11516HigMay 28, 2018
    risk 0.57cvss 8.8epss 0.04

    The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file.

  • CVE-2017-17670HigDec 15, 2017
    risk 0.57cvss 8.8epss 0.02

    In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.

  • CVE-2017-8311HigMay 23, 2017
    risk 0.54cvss 7.8epss 0.09

    Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.

  • CVE-2024-46461HigSep 25, 2024
    risk 0.52cvss 8.0epss 0.01

    VLC media player 3.0.20 and earlier is vulnerable to denial of service through an integer overflow which could be triggered with a maliciously crafted mms stream (heap based overflow). If successful, a malicious third party could trigger either a crash of VLC or an arbitrary…

  • CVE-2017-13135HigNov 16, 2017
    risk 0.51cvss 7.8epss 0.01

    A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg 0.9.7 and other products, because the CUData::initialize function in common/cudata.cpp mishandles memory-allocation failure.

  • CVE-2017-9301HigMay 29, 2017
    risk 0.51cvss 7.8epss 0.03

    plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file.

  • CVE-2017-9300HigMay 29, 2017
    risk 0.51cvss 7.8epss 0.03

    plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file.

  • CVE-2023-47360HigNov 7, 2023
    risk 0.49cvss 7.5epss 0.01

    Videolan VLC prior to version 3.0.20 contains an Integer underflow that leads to an incorrect packet length.

  • CVE-2013-3245MedJul 10, 2013
    risk 0.41cvss 6.3epss 0.03

    plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player 2.0.7, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MKV file, possibly involving an integer overflow and out-of-bounds read…

  • CVE-2017-8313MedMay 23, 2017
    risk 0.36cvss 5.5epss 0.01

    Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.

  • CVE-2017-8312MedMay 23, 2017
    risk 0.36cvss 5.5epss 0.01

    Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of string length allows attackers to read heap uninitialized data via a crafted subtitles file.

  • CVE-2017-8310MedMay 23, 2017
    risk 0.36cvss 5.5epss 0.01

    Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process (causing a denial of service) via a crafted subtitles file.

  • CVE-2016-3941MedApr 18, 2016
    risk 0.36cvss 5.5epss 0.01

    Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF."

  • CVE-2026-26228MedFeb 26, 2026
    risk 0.32cvss 4.9epss 0.00

    VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory…