CVE-2020-13428: VLC Media Player 3.0.11 Fixes Severe Remote Code Execution Flaw
by CIRT Team
A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.
According to VideoLan’s security bulletin, this vulnerability can be exploited by creating a specially crafted file and tricking a user into opening it with VLC.
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
Due to the severity of this vulnerability it is strongly advised that all users download and install version 3.0.11. For more information, please visit following URL: