CVE-2021-25802 – A buffer overflow vulnerability in VLC Media Pl... (How to Fix)

Q: What is the severity of CVE-2021-25802?

CVE-2021-25802 has a CVSS score of 7.1 (HIGH). A buffer overflow vulnerability in VLC Media Player's subtitle parsing component allows attackers to trigger out-of-bounds memory reads via specially crafted AVI files. This could lead to application crashes or potentially arbitrary code execution. Users running VLC 3.0.11 or earlier versions are affected.

📋 TL;DR

A buffer overflow vulnerability in VLC Media Player's subtitle parsing component allows attackers to trigger out-of-bounds memory reads via specially crafted AVI files. This could lead to application crashes or potentially arbitrary code execution. Users running VLC 3.0.11 or earlier versions are affected.

💻 Affected Systems

Products:

VideoLAN VLC Media Player

Versions: 3.0.11 and earlier

Operating Systems: Windows, Linux, macOS, Other platforms running VLC

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable when processing AVI files with subtitles.

📦 What is this software?

Vlc Media Player by Videolan

View all CVEs affecting Vlc Media Player →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities or memory corruption techniques.

🟠

Likely Case

Application crash (denial of service) when processing malicious AVI files, potentially causing data loss in unsaved media sessions.

🟢

If Mitigated

Application crash with no further impact if proper memory protections (ASLR, DEP) are enabled.

🌐 Internet-Facing: LOW - VLC is typically a client application, not internet-facing by default.

🏢 Internal Only: MEDIUM - Users could be tricked into opening malicious AVI files from internal shares or email attachments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to open malicious file. The vulnerability is in subtitle parsing, which may limit attack surface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.12 and later

Vendor Advisory: https://www.videolan.org/security/sb-vlc3012.html

Restart Required: No

Instructions:

1. Download latest VLC version from videolan.org 2. Install over existing version 3. No restart required, but close VLC during installation

🔧 Temporary Workarounds

Disable subtitle parsing for AVI files

all

Modify VLC settings to disable automatic subtitle loading for AVI files

Use alternative media player for AVI files

all

Configure system to use different media player for .avi files

🧯 If You Can't Patch

Restrict user permissions to prevent execution of arbitrary code
Implement application whitelisting to block VLC execution

🔍 How to Verify

Check if Vulnerable:

Check VLC version: Help → About (Windows/Linux) or VLC → About VLC (macOS)

Check Version:

vlc --version (Linux/macOS) or check Help → About (Windows)

Verify Fix Applied:

Verify version is 3.0.12 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

VLC crash logs
Application error events in system logs
Unexpected process termination

Network Indicators:

Downloads of .avi files from untrusted sources
Unusual file transfers to user workstations

SIEM Query:

EventID=1000 OR EventID=1001 Source=VLC.exe OR ProcessName=VLC

📊 Metadata

CVE ID: CVE-2021-25802

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: July 26, 2021

Last Updated: November 21, 2024

🔗 References

https://code.videolan.org/videolan/vlc-3.0/-/commit/0660acc3ab64d2c3ad99cae887a438f0648faa72 Patch,Vendor Advisory
https://code.videolan.org/videolan/vlc-3.0/-/commit/0660acc3ab64d2c3ad99cae887a438f0648faa72 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25802, you might also want to check these: