VLC Receives Patch for Two Zero-Day Vulnerabilities

VideoLan, the company behind open-source video player VLC, has recently announced that two major vulnerabilities have been fixed.

Jean-Baptiste Kempf, the company’s CEO and lead dev, argued that the two fixes are part of a larger patch, which VideoLan began pushed last week.

Over 33 issues were fixed, including the Stack-buffer-overflow bug and the out-of-bounds write issues, two vulnerabilities that could have been exploited by hackers.

VLC’s patch is part of EU’s bug fix initiative, a pan-European project that aims to reduce cybercrime by identifying and fixing vulnerable entry points.

Should I stop using VLC Player?

I would put too much stock in this “I should delete X app just because someone said that it might leave your device vulnerable to malware.”

If we did that every time someone broke this kind of news to us, we literally should stop every app in the webstore. Fortunately, this is not the case with VLC, which seems to take their bug-patching game to the next level.

According to Kempf, the company’s patching crusade is part of the much larger bug bounty venture, which is funded by the European Commission. Started in January, the Commission has funded 14 bug bounty initiatives.

During this time, thousands of zero-day vulnerabilities have been identified by ethical hackers. VLC was not short of people willing to give a helping hand.

A person who goes by the HackerOne handle of ele7enxxh has identified no less than 13 bugs in VLC’s player.

And as merit seldom goes unrewarded, the ethical hacker’s dedication earned him (or her) a whopping $13,260 (now that’s what I call putting your game face on).

Now, as far as VLC’s patch is concerned, according to the company’s CEO, most of the other fixes included in the 3.0.7 update are considered minor. The highlights are, of course, the hotfixes for the out-of-bounds and Stack-buffer-overflow bugs.

In a blog post dated June the 7th, Kempf writes that the out-of-bounds write bud stemmed from the players’ faad2 library, not from the app’s codebase.

As for the Stack-buffer-overflow issue, it would seem that defective Reliable Stream Transport module was at fault. Both issues have been corrected, as far as anyone could tell.

VideoLan was one of many companies who enrolled in EU’s bug-seeking program. Since the program was launched, apps like PuTTy, Notepad++, Filezilla, and Apache Kafka managed to root out zero-day vulnerabilities, thus making the apps safer.


To answer your question – no, you shouldn’t stop using VLC. At least, not right now. Sure, as a whole, the app still needs more ironing out, but it’s still the best open-source video player on the market.

Now, if you’re running an older version of VLC, I would recommend updating it as soon as possible. This goes for every device you have. If you’re interested in seeing the full list of VLC’s fixes, hop on the company’s support page for the full list.

So, what’s your take on VLC’s latest announcement and EU’s bug bounty hunt? Hit the comments section and let me know your thoughts.

About Daniel Sadler

Old-school PC gamer, poetry buff, cat lover, tech wiz. His writing career began almost two decades ago when he modestly acknowledged that hindsight or, lack thereof, can compromise security. He enjoys spending quality time with his friends and family. Most of his friends refer to Daniel as a "man of a few words, but, man, what words!" His interests include cybersecurity, IT, blogging, and, of course, everything related to technology.

Leave a Reply

Your email address will not be published. Required fields are marked *