VLC Media Player Update Needed: CVE-2024-46461 Discovered
Users of the popular VLC media player are being urged to update their software immediately following the discovery of a critical vulnerability that could allow malicious actors to crash the program or even execute arbitrary code.
The vulnerability, tracked as CVE-2024-46461, carries a CVSS score of 8.0, highlighting its high severity. The issue stems from a potential integer overflow that can be triggered when VLC processes a maliciously crafted MMS stream. While the most likely outcome is a crash, security experts warn that in combination with other vulnerabilities, this flaw could lead to information leaks or remote code execution.
“While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed,” VLC wrote.
The vulnerability was responsibly disclosed by Andreas Fobian of Mantodea Security GmbH, whose efforts have ensured that a patch has already been deployed to prevent exploitation. So far, no known real-world attacks have exploited this vulnerability to execute code, but the risk remains substantial enough to warrant immediate attention.
The good news is that exploiting CVE-2024-46461 requires specific actions from the user. The attack is only triggered when the victim explicitly opens a maliciously crafted MMS stream. As a precaution, users are advised to avoid opening MMS streams from untrusted sources until they can apply the latest security patch. For those who use VLC browser plugins, disabling these features temporarily can also reduce the attack surface.
The best course of action is to update your VLC media player to version 3.0.21 or later. This latest version includes a patch that addresses the vulnerability and significantly reduces the risk of exploitation.
