CVE-2022-41325: VLC media player remote code execution vulnerability

VideoLAN this week released a software update to its highly popular VLC media player to address four vulnerabilities, the most important of which could lead to arbitrary code execution on target systems.

With more than 1 billion downloads, VLC is a free and open-source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols that are currently being used by hundreds of millions of users worldwide on all major platforms, including Windows, macOS, Linux, as well as Android and iOS mobile platforms.

The high-risk flaw, identified as CVE-2022-41325 (CVSS score: 7.8) and discovered by 0xMitsurugi from Synacktiv, is a buffer overflow that resides in the vnc module and can be triggered using a malicious vnc URL. 0xMitsurugi published the technical detail and a PoC code for this flaw.

“If successful, a malicious third party could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user,” VideoLAN explains in a security bulletin.

“While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.”

CVE-2022-41325 affects VLC media player 3.0.17 and earlier and was fixed by releasing VLC version 3.0.18. No exploits that abuse this vulnerability for code execution have been observed until now.

The latest version also fixed three other vulnerabilities, including:

• A denial of service could be triggered with a wrong mp4 file (div by 0) (#27202)
• Fix crashes with multiple files due to double free (#26930)
• A denial of service could be triggered with the wrong oog file (null pointer dereference) (#27294)