VYPR

Vendor CVEs

VideoLAN

All CVEs

133 total · sorted by risk
  • CVE-2016-5108CriJun 8, 2016
    risk 0.69cvss 9.8epss 0.25

    Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file.

  • CVE-2025-25467CriFeb 18, 2025
    risk 0.64cvss 9.8epss 0.01

    Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file.

  • CVE-2023-47359CriNov 7, 2023
    risk 0.64cvss 9.8epss 0.01

    Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption.

  • CVE-2017-10699CriJun 30, 2017
    risk 0.64cvss 9.8epss 0.04

    avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution.

  • CVE-2014-6440CriMar 28, 2017
    risk 0.64cvss 9.8epss 0.05

    VideoLAN VLC media player before 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service.

  • CVE-2018-11529HigJul 11, 2018
    risk 0.58cvss 8.0epss 0.41

    VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

  • CVE-2018-11516HigMay 28, 2018
    risk 0.57cvss 8.8epss 0.04

    The vlc_demux_chained_Delete function in input/demux_chained.c in VideoLAN VLC media player 3.0.1 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted .swf file.

  • CVE-2017-17670HigDec 15, 2017
    risk 0.57cvss 8.8epss 0.02

    In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a box may be changed between a read operation and a free operation.

  • CVE-2017-8311HigMay 23, 2017
    risk 0.54cvss 7.8epss 0.09

    Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.

  • CVE-2024-46461HigSep 25, 2024
    risk 0.52cvss 8.0epss 0.01

    VLC media player 3.0.20 and earlier is vulnerable to denial of service through an integer overflow which could be triggered with a maliciously crafted mms stream (heap based overflow). If successful, a malicious third party could trigger either a crash of VLC or an arbitrary…

  • CVE-2017-13135HigNov 16, 2017
    risk 0.51cvss 7.8epss 0.01

    A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg 0.9.7 and other products, because the CUData::initialize function in common/cudata.cpp mishandles memory-allocation failure.

  • CVE-2017-9301HigMay 29, 2017
    risk 0.51cvss 7.8epss 0.03

    plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file.

  • CVE-2017-9300HigMay 29, 2017
    risk 0.51cvss 7.8epss 0.03

    plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file.

  • CVE-2023-47360HigNov 7, 2023
    risk 0.49cvss 7.5epss 0.01

    Videolan VLC prior to version 3.0.20 contains an Integer underflow that leads to an incorrect packet length.

  • CVE-2013-3245MedJul 10, 2013
    risk 0.41cvss 6.3epss 0.03

    plugins/demux/libmkv_plugin.dll in VideoLAN VLC Media Player 2.0.7, and possibly other versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MKV file, possibly involving an integer overflow and out-of-bounds read…

  • CVE-2017-8313MedMay 23, 2017
    risk 0.36cvss 5.5epss 0.01

    Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.

  • CVE-2017-8312MedMay 23, 2017
    risk 0.36cvss 5.5epss 0.01

    Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of string length allows attackers to read heap uninitialized data via a crafted subtitles file.

  • CVE-2017-8310MedMay 23, 2017
    risk 0.36cvss 5.5epss 0.01

    Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process (causing a denial of service) via a crafted subtitles file.

  • CVE-2016-3941MedApr 18, 2016
    risk 0.36cvss 5.5epss 0.01

    Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF."

  • CVE-2026-26228MedFeb 26, 2026
    risk 0.32cvss 4.9epss 0.00

    VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory…

  • CVE-2025-51602MedJan 16, 2026
    risk 0.31cvss 4.8epss 0.00

    mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server.

  • CVE-2026-26227LowFeb 26, 2026
    risk 0.24cvss 3.7epss 0.00

    VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective…

  • CVE-2010-3275Mar 28, 2011
    risk 0.09cvss epss 0.76

    libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability."

  • CVE-2008-4654Oct 22, 2008
    risk 0.08cvss epss 0.58

    Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.

  • CVE-2012-1775Mar 19, 2012
    risk 0.07cvss epss 0.45

    Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.

  • CVE-2011-0522Feb 7, 2011
    risk 0.07cvss epss 0.52

    The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "<"…

  • CVE-2011-0531Feb 7, 2011
    risk 0.06cvss epss 0.42

    demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class…

  • CVE-2009-2484Jul 16, 2009
    risk 0.06cvss epss 0.35

    Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb.c in VideoLAN VLC media player 0.9.9, when running on Microsoft Windows, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long…

  • CVE-2008-5036Nov 10, 2008
    risk 0.06cvss epss 0.41

    Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT…

  • CVE-2014-9598Jan 21, 2015
    risk 0.04cvss epss 0.06

    The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file.

  • CVE-2014-9597Jan 21, 2015
    risk 0.04cvss epss 0.07

    The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (DEP violation and application crash) via a crafted FLV file.

  • CVE-2013-6283Oct 25, 2013
    risk 0.04cvss epss 0.10

    VideoLAN VLC Media Player 2.0.8 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a URL in a m3u file.

  • CVE-2013-1868Jul 10, 2013
    risk 0.04cvss epss 0.11

    Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to the (1) freetype renderer and (2) HTML subtitle parser.

  • CVE-2012-2396Apr 19, 2012
    risk 0.04cvss epss 0.07

    VideoLAN VLC media player 2.0.1 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted MP4 file.

  • CVE-2011-2194Jun 24, 2011
    risk 0.04cvss epss 0.09

    Integer overflow in the XSPF playlist parser in VideoLAN VLC media player 0.8.5 through 1.1.9 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors that trigger a heap-based buffer overflow.

  • CVE-2010-3124Aug 26, 2010
    risk 0.04cvss epss 0.13

    Untrusted search path vulnerability in bin/winvlc.c in VLC Media Player 1.1.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll that is located in the same folder as a .mp3…

  • CVE-2010-0364Jan 21, 2010
    risk 0.04cvss epss 0.07

    Stack-based buffer overflow in VideoLAN VLC Media Player 0.8.6 allows user-assisted remote attackers to execute arbitrary code via an ogg file with a crafted Advanced SubStation Alpha Subtitle (.ass) file, probably involving the Dialogue field.

  • CVE-2009-1045Mar 23, 2009
    risk 0.04cvss epss 0.09

    requests/status.xml in VLC 0.9.8a allows remote attackers to cause a denial of service (stack consumption and crash) via a long input argument in an in_play action.

  • CVE-2008-5032Nov 10, 2008
    risk 0.04cvss epss 0.11

    Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue…

  • CVE-2008-4686Oct 22, 2008
    risk 0.04cvss epss 0.10

    Multiple integer overflows in ty.c in the TY demux plugin (aka the TiVo demuxer) in VideoLAN VLC media player, probably 0.9.4, might allow remote attackers to execute arbitrary code via a crafted .ty file, a different vulnerability than CVE-2008-4654.

  • CVE-2008-4558Oct 15, 2008
    risk 0.04cvss epss 0.09

    Array index error in VLC media player 0.9.2 allows remote attackers to overwrite arbitrary memory and execute arbitrary code via an XSPF playlist file with a negative identifier tag, which passes a signed comparison.

  • CVE-2008-3794Aug 26, 2008
    risk 0.04cvss epss 0.11

    Integer signedness error in the mms_ReceiveCommand function in modules/access/mms/mmstu.c in VLC Media Player 0.8.6i allows remote attackers to execute arbitrary code via a crafted mmst link with a negative size value, which bypasses a size check and triggers an integer overflow…

  • CVE-2008-3732Aug 20, 2008
    risk 0.04cvss epss 0.13

    Integer overflow in the Open function in modules/demux/tta.c in VLC Media Player 0.8.6i allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TTA file, which triggers a heap-based buffer overflow. NOTE: some of…

  • CVE-2008-1769Apr 25, 2008
    risk 0.04cvss epss 0.07

    VLC before 0.8.6f allow remote attackers to cause a denial of service (crash) via a crafted Cinepak file that triggers an out-of-bounds array access and memory corruption.

  • CVE-2008-1881Apr 17, 2008
    risk 0.04cvss epss 0.12

    Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681.

  • CVE-2008-1489Mar 25, 2008
    risk 0.04cvss epss 0.12

    Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC 0.8.6e allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MP4 RDRF box that triggers a heap-based buffer overflow, a different vulnerability than…

  • CVE-2008-0984Feb 26, 2008
    risk 0.04cvss epss 0.15

    The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier, as used in Miro Player 1.1 and earlier, allows remote attackers to overwrite arbitrary memory and execute arbitrary code via a malformed MP4 file.

  • CVE-2007-6681Jan 17, 2008
    risk 0.04cvss epss 0.17

    Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via a long subtitle in a (1) MicroDvd, (2) SSA, and (3) Vplayer file.

  • CVE-2007-6682Jan 17, 2008
    risk 0.04cvss epss 0.15

    Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via format string specifiers in the Connection parameter.

  • CVE-2007-6262Dec 6, 2007
    risk 0.04cvss epss 0.11

    A certain ActiveX control in axvlc.dll in VideoLAN VLC 0.8.6 before 0.8.6d allows remote attackers to execute arbitrary code via crafted arguments to the (1) addTarget, (2) getVariable, or (3) setVariable function, resulting from a "bad initialized pointer," aka a "recursive…

Page 1 of 3