CVE-2019-13962 – CVE-2019-13962 is a heap-based buffer over-read... (How to Fix)

Q: What is the severity of CVE-2019-13962?

CVE-2019-13962 has a CVSS score of 9.8 (CRITICAL). CVE-2019-13962 is a heap-based buffer over-read vulnerability in VLC media player's video decoding component. Attackers can exploit this by tricking users into opening malicious video files, potentially leading to arbitrary code execution. All users running VLC versions through 3.0.7 are affected.

📋 TL;DR

CVE-2019-13962 is a heap-based buffer over-read vulnerability in VLC media player's video decoding component. Attackers can exploit this by tricking users into opening malicious video files, potentially leading to arbitrary code execution. All users running VLC versions through 3.0.7 are affected.

💻 Affected Systems

Products:

VideoLAN VLC media player

Versions: All versions through 3.0.7

Operating Systems: Windows, Linux, macOS, BSD, Solaris

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when processing specially crafted video files. All default configurations are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the VLC process, potentially leading to full system compromise if VLC runs with elevated privileges.

🟠

Likely Case

Application crash (denial of service) or limited information disclosure from heap memory.

🟢

If Mitigated

Application crash with no further impact if proper sandboxing or privilege separation is implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. The vulnerability is in the core video decoding library, making reliable exploitation feasible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.8 and later

Vendor Advisory: https://www.videolan.org/security/sb-vlc308.html

Restart Required: Yes

Instructions:

1. Download VLC 3.0.8 or later from videolan.org. 2. Install the update. 3. Restart VLC and any running instances.

🔧 Temporary Workarounds

Disable automatic media playback

all

Prevent VLC from automatically playing media files when opened

Tools → Preferences → Interface → uncheck 'Allow only one instance' and 'Enqueue items into playlist in one instance mode'

Use application whitelisting

windows

Restrict execution of VLC to trusted locations only

🧯 If You Can't Patch

Temporarily uninstall VLC until patching is possible
Use alternative media players that are not affected by this vulnerability

🔍 How to Verify

Check if Vulnerable:

Check VLC version via Help → About (GUI) or 'vlc --version' (CLI). If version is 3.0.7 or earlier, system is vulnerable.

Check Version:

vlc --version | head -1

Verify Fix Applied:

Verify VLC version is 3.0.8 or later using the same methods.

📡 Detection & Monitoring

Log Indicators:

VLC crash logs with segmentation faults or access violations
Unexpected VLC process termination

Network Indicators:

Downloads of unusual video file formats from untrusted sources

SIEM Query:

Process:Name='vlc' AND EventID=1000 (Application Error) OR EventID=1001 (Application Hang)

📊 Metadata

CVE ID: CVE-2019-13962

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: July 18, 2019

Last Updated: November 21, 2024

🔗 References

http://git.videolan.org/?p=vlc/vlc-3.0.git%3Ba=commit%3Bh=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00005.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00037.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00040.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00081.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00036.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00046.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/109306 Broken Link
https://seclists.org/bugtraq/2019/Aug/36 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201909-02 Third Party Advisory
https://trac.videolan.org/vlc/ticket/22240 Exploit,Vendor Advisory
https://usn.ubuntu.com/4131-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4504 Third Party Advisory
http://git.videolan.org/?p=vlc/vlc-3.0.git%3Ba=commit%3Bh=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00005.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00037.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00040.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00081.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00036.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00046.html Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/109306 Broken Link
https://seclists.org/bugtraq/2019/Aug/36 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/201909-02 Third Party Advisory
https://trac.videolan.org/vlc/ticket/22240 Exploit,Vendor Advisory
https://usn.ubuntu.com/4131-1/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4504 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13962, you might also want to check these: