VideoLAN
VideoLAN is a non-profit organization which develops software for playing video and other media formats. It originally developed two programs for media streaming, VideoLAN Client (VLC) and VideoLAN Server (VLS), but most of the features of VLS have been incorporated into VLC, with the result renamed VLC media player.
Products
9- 117 CVEs
- 22 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
133| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-5108 | Cri | 0.69 | 9.8 | 0.25 | Jun 8, 2016 | Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file. | ||
| CVE-2025-25467 | Cri | 0.64 | 9.8 | 0.01 | Feb 18, 2025 | Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file. | ||
| CVE-2023-47359 | Cri | 0.64 | 9.8 | 0.01 | Nov 7, 2023 | Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption. | ||
| CVE-2017-10699 | Cri | 0.64 | 9.8 | 0.04 | Jun 30, 2017 | avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution. | ||
| CVE-2014-6440 | Cri | 0.64 | 9.8 | 0.05 | Mar 28, 2017 | VideoLAN VLC media player before 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service. | ||
| CVE-2018-11529 | Hig | 0.58 | 8.0 | 0.41 | Jul 11, 2018 | VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions. | ||
| CVE-2018-11516 | Hig | 0.57 | 8.8 | 0.04 | May 28, 2018 | The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file. | ||
| CVE-2017-17670 | Hig | 0.57 | 8.8 | 0.02 | Dec 15, 2017 | In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation. | ||
| CVE-2017-8311 | Hig | 0.54 | 7.8 | 0.09 | May 23, 2017 | Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file. | ||
| CVE-2024-46461 | Hig | 0.52 | 8.0 | 0.01 | Sep 25, 2024 | VLC media player 3.0.20 and earlier is vulnerable to denial of service through an integer overflow which could be triggered with a maliciously crafted mms stream (heap based overflow). If successful, a malicious third party could trigger either a crash of VLC or an arbitrary… | ||
| CVE-2017-13135 | Hig | 0.51 | 7.8 | 0.01 | Nov 16, 2017 | A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg 0.9.7 and other products, because the CUData::initialize function in common/cudata.cpp mishandles memory-allocation failure. | ||
| CVE-2017-9301 | Hig | 0.51 | 7.8 | 0.03 | May 29, 2017 | plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file. | ||
| CVE-2017-9300 | Hig | 0.51 | 7.8 | 0.03 | May 29, 2017 | plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file. | ||
| CVE-2023-47360 | Hig | 0.49 | 7.5 | 0.01 | Nov 7, 2023 | Videolan VLC prior to version 3.0.20 contains an Integer underflow that leads to an incorrect packet length. | ||
| CVE-2013-3245 | Med | 0.41 | 6.3 | 0.03 | Jul 10, 2013 | plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player 2.0.7, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MKV file, possibly involving an integer overflow and out-of-bounds read… | ||
| CVE-2017-8313 | Med | 0.36 | 5.5 | 0.01 | May 23, 2017 | Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file. | ||
| CVE-2017-8312 | Med | 0.36 | 5.5 | 0.01 | May 23, 2017 | Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of string length allows attackers to read heap uninitialized data via a crafted subtitles file. | ||
| CVE-2017-8310 | Med | 0.36 | 5.5 | 0.01 | May 23, 2017 | Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process (causing a denial of service) via a crafted subtitles file. | ||
| CVE-2016-3941 | Med | 0.36 | 5.5 | 0.01 | Apr 18, 2016 | Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF." | ||
| CVE-2026-26228 | Med | 0.32 | 4.9 | 0.00 | Feb 26, 2026 | VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory… |
- risk 0.69cvss 9.8epss 0.25
Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file.
- risk 0.64cvss 9.8epss 0.01
Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file.
- risk 0.64cvss 9.8epss 0.01
Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption.
- risk 0.64cvss 9.8epss 0.04
avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution.
- risk 0.64cvss 9.8epss 0.05
VideoLAN VLC media player before 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service.
- risk 0.58cvss 8.0epss 0.41
VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
- risk 0.57cvss 8.8epss 0.04
The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file.
- risk 0.57cvss 8.8epss 0.02
In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.
- risk 0.54cvss 7.8epss 0.09
Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.
- risk 0.52cvss 8.0epss 0.01
VLC media player 3.0.20 and earlier is vulnerable to denial of service through an integer overflow which could be triggered with a maliciously crafted mms stream (heap based overflow). If successful, a malicious third party could trigger either a crash of VLC or an arbitrary…
- risk 0.51cvss 7.8epss 0.01
A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg 0.9.7 and other products, because the CUData::initialize function in common/cudata.cpp mishandles memory-allocation failure.
- risk 0.51cvss 7.8epss 0.03
plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file.
- risk 0.51cvss 7.8epss 0.03
plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file.
- risk 0.49cvss 7.5epss 0.01
Videolan VLC prior to version 3.0.20 contains an Integer underflow that leads to an incorrect packet length.
- risk 0.41cvss 6.3epss 0.03
plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player 2.0.7, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MKV file, possibly involving an integer overflow and out-of-bounds read…
- risk 0.36cvss 5.5epss 0.01
Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.
- risk 0.36cvss 5.5epss 0.01
Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of string length allows attackers to read heap uninitialized data via a crafted subtitles file.
- risk 0.36cvss 5.5epss 0.01
Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process (causing a denial of service) via a crafted subtitles file.
- risk 0.36cvss 5.5epss 0.01
Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF."
- risk 0.32cvss 4.9epss 0.00
VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory…