Less than two months after earlier version, VideoLAN has launched VLC 3.0.11. Like the version that arrived at the end of April, this is not a very exciting release, but it does add improvements such as bug fixes and security improvements. Specifically, they have corrected a vulnerability, the CVE-2020-13428 that, although they do not mention it in their report, we could say that it is of medium or high priority, although in this it also has something to say how easy it is to exploit the vulnerability.
The security bug fixed could allow remote attackers to execute commands or crash the VLC player on a vulnerable computer. Specifically, it is a "buffer overflow in the VLC H26X packet package" and can allow attackers to execute commands under the same level of security as the user if properly exploited.
VLC 3.0.11 now available for Windows, macOS and Linux
According to informs VideoLAN:
The affected code was only used by the macOS / iOS hardware accelerated decoder (VideoToolbox), which means that other platforms are not affected.
If successful, a malicious third party could trigger a VLC crash or arbitrary code execution with the privileges of the target user.
While these issues themselves are likely to only crash the player, we cannot exclude that they can be combined to leak user information or remotely execute code. ASLR and DEP help reduce the likelihood of code execution, but can be omitted.
We have not seen any exploits that execute code using this vulnerability.
Windows and macOS users you can now install the new version updating from the same player or downloading VLC 3.0.11 from the official website, which you can access from this link. Linux users also have it available from the previous link in different formats, but also in Flatub. In the next few days (or even weeks), it will reach the official repositories of most Linux distributions.