VLC Media Player 3.0.18 update available

An update is available for the VLC Media Player to version 3.0.18, which the developers use to fix a critical security vulnerability and other things.

The now released version 3.0.18 of the VLC Media Player fixes several security vulnerabilities. One of them is considered critical and enables attackers from the network to import malicious code on computers with manipulated files or streams.

VLC contains a vnc module that could execute malicious code from the network due to a possible buffer overflow. To do this, a malicious VNC URL must be played (CVE-2022-41325). Such a URL can also be contained in a local file, such as an m3u playlist.

The according VideoLAN that VLC 3.0.18 fixes. Due to possible division-by-zero processing, a manipulated MP4 file could trigger a Denial of Service (DoS). With multiple files, calling free twice could try to free resources again, causing the software to crash. Due to a null pointer dereference, a denial of service could occur when processing crafted .oog files.

The VLC developers emphasize that they are not aware of any exploits that abuse the vulnerabilities. The new version can be downloaded from the project's download page as a Windows installer. Linux users must start the distribution's own software management and look for the update to version 3.0.18 there.