Security

Security contacts

Email: security@REMOVE@videolan.org.

Please note that signed emails are welcome, and responsible disclosure is very much appreciated.

VLC releases Security Bulletins (SB)

Those bulletins are related to each VLC release and can be made of multiple security issues, internal and external.

2025

VideoLAN-SB-VLC-322: Vulnerabilities fixed in VLC media player 3.0.22 Details

2024

VideoLAN-SB-VLC-321: Vulnerability fixed in VLC media player 3.0.21 Details
VideoLAN-SB-VLC-iOS-359: Vulnerability fixed in VLC-iOS 3.5.9 Details

2023

VideoLAN-SB-VLC-319: Vulnerability fixed in VLC media player 3.0.19 Details
VideoLAN-SB-VLC-320: Vulnerability fixed in VLC media player 3.0.20 Details

2022

VideoLAN-SB-VLC-318: Multiple vulnerabilities fixed in VLC media player 3.0.18 Details

2021

VideoLAN-SB-VLC-313: Multiple vulnerabilities fixed in VLC media player 3.0.13 Details

2020

VideoLAN-SB-VLC-311: Multiple vulnerabilities fixed in VLC media player 3.0.11 Details
VideoLAN-SB-VLC-312: Multiple vulnerabilities fixed in VLC media player 3.0.12 Details
VideoLAN-SB-VLC-309: Multiple vulnerabilities fixed in VLC media player 3.0.9/3.0.10 Details

2019

VideoLAN-SB-VLC-308: Multiple vulnerabilities fixed in VLC media player 3.0.8 Details

VideoLAN security advisories

Please note: The VideoLAN project does not issue security advisories for underlying third party libraries. Please refer to the concerned third parties as appropriate.

2019

VideoLAN-SA-1901: Buffer overflow in avi demuxer & heap use after free in mkv demuxer Details

2018

VideoLAN-SA-1801: Heap use after free in avformat demuxer Details

2016

VideoLAN-SA-1601: Buffer Overflow in Processing QuickTime IMA Files Details

2015

VideoLAN-SA-1501: Multiple heap and buffer overflows Details

2013

VideoLAN-SA-1301: Overflow in subtitles decoder Details
VideoLAN-SA-1302 (CVE-2013-1954): Overflow in ASF Demuxer Details

2012

VideoLAN-SA-1201 (CVE-2012-1775): Stack overflow in MMS protocol Details
VideoLAN-SA-1202 (CVE-2012-1776): Heap overflows in Real RTPS protocol Details
VideoLAN-SA-1203 (CVE-2012-5470): Overflow in PNG decoder Details

2011

VideoLAN-SA-1101 (CVE-2011-0021): Heap corruption in CDG codec. Details
VideoLAN-SA-1102 (CVE-2011-0531): Insufficient input validation in MKV demuxer. Details
VideoLAN-SA-1103 (CVE-2011-1684): Heap corruption in MP4 demuxer. Details
VideoLAN-SA-1104 (CVE-2011-2194): Integer overflow in XSPF demuxer. Details
VideoLAN-SA-1105 (CVE-2011-2587): Heap buffer overflow in RealMedia demuxer. Details
VideoLAN-SA-1106 (CVE-2011-2588): Heap buffer overflow in AVI demuxer. Details
VideoLAN-SA-1107 (CVE-2011-3333): NULL dereference in HTTP and RTSP server. Details
VideoLAN-SA-1108 (CVE-2012-0023): Heap corruption in TiVo demuxer. Details

2010

VideoLAN-SA-1001: Clam AntiVirus input validation error Details
VideoLAN-SA-1002: Buffer overflow in ancient VLC media player Details
VideoLAN-SA-1003 (CVE-2010-1441..5): Multiple vulnerabilities in VLC. Details
VideoLAN-SA-1004 (CVE-2010-2937): Insufficient input validation VLC TagLib plugin. Details
VideoLAN-SA-1005 (CVE-2010-3124): DLL preloading vulnerability. Details
VideoLAN-SA-1006: Stack smashing in SMB/CIFS access. Details
VideoLAN-SA-1007 (CVE-2010-3907): Buffer overflow in Real Media demuxer. Details

2009

VideoLAN-SA-0901: Stack overflows in VLC demuxers. Details

2008

VideoLAN-SA-0801 (CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296): Format string vulnerability in the Web interface. Stack-based buffer overflow in the Subtitles demuxer. String buffer overflows in the Real RTSP demuxer. Details
VideoLAN-SA-0802, CORE-2008-0130 (CVE-2008-0984): Arbitrary memory overwrite vulnerability in the MP4 demuxer. Details
VideoLAN-SA-0803 (CVE-2008-0073, CVE-2008-1489, CVE-2008-1768, CVE-2008-1769): Arbitrary memory overwrite vulnerabilities in multiple modules: Real RTSP demuxer, Real Media demuxer, MP4 demuxer, Cinepak decoder. Details
VideoLAN-SA-0804 (CVE-2007-6683): Arbitrary file overwrite and other abuses through M3U parser and browsers plugins. Details
VideoLAN-SA-0805 (CVE-2008-2147): Arbitrary code execution through rogue VLC plugins in the current directory. Details
VideoLAN-SA-0806 (CVE-2008-2430): Arbitrary code execution through potential heap-overflows in VLC's WAV demuxer. Details
VideoLAN-SA-0807 (CVE-2008-3732, CVE-2008-3794): Multiple overflows in VLC demuxers. Details
VideoLAN-SA-0809 (CVE-2008-4654, CVE-2008-4686): Buffer overflow in VLC TiVo demuxer. Details
VideoLAN-SA-0810 (CVE-2008-5032, CVE-2008-5036): Multiple overflows in VLC demuxers. Details
VideoLAN-SA-0811 (CVE-2008-5276): Buffer overflows in VLC Real demuxers. Details

2007

VideoLAN-SA-0701, MOAB-02-01-2007 (CVE-2007-0017): URL format string injection in CDDA and VCDX plugins. Details
VideoLAN-SA-0702 (CVE-2007-3316): Format string injection in Vorbis, Theora, SAP and CDDA plugins. Details
VideoLAN-SA-0703, CORE-2007-1004 (CVE-2007-6262): Recursive plugin release vulnerability in the Active X plugin. Details