CVE-2020-13428: VLC Media Player 3.0.11 Fixes Severe Remote Code Execution Flaw

CVE-2020-13428:
A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.


Impact:
According to VideoLan’s security bulletin, this vulnerability can be exploited by creating a specially crafted file and tricking a user into opening it with VLC.
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.


Mitigations:
Due to the severity of this vulnerability it is strongly advised that all users download and install version 3.0.11. For more information, please visit following URL:
http://www.videolan.org/vlc/releases/3.0.11.html


Reference:
https://nvd.nist.gov/vuln/detail/CVE-2020-13428
https://github.com/videolan/vlc-3.0/releases/tag/3.0.11
https://www.debian.org/security/2020/dsa-4704

Share