Ubuntu update for vlc
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2019-19721 CVE-2020-13428 CVE-2021-25801 CVE-2021-25802 CVE-2021-25803 CVE-2021-25804 CVE-2022-41325 |
| CWE-ID | CWE-125 CWE-122 CWE-822 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Ubuntu Operating systems & Components / Operating system vlc-plugin-access-extra (Ubuntu package) Operating systems & Components / Operating system package or component vlc (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU27925
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19721
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within DecodeBlock in sdl_image.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger a one byte out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package vlc to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.10
vlc-plugin-access-extra (Ubuntu package): before Ubuntu Pro
vlc (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6180-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU29119
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-13428
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the hxxx_AnnexB_to_xVC() function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player when processing H.264 Annex-B video files. A remote attacker can create a specially crafted .avi file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package vlc to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.10
vlc-plugin-access-extra (Ubuntu package): before Ubuntu Pro
vlc (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6180-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU49890
Risk: Medium
CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-25801
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the __Parse_indx component. A remote authenticated attacker can create a specially crafted .avi file, trick the victim into opening it, trigger out-of-bounds read error and cause a denial of service condition on the system.
MitigationUpdate the affected package vlc to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.10
vlc-plugin-access-extra (Ubuntu package): before Ubuntu Pro
vlc (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6180-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU64520
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-25802
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the AVI_ExtractSubtitle component. A remote attacker can create a specially crafted .avi file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package vlc to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.10
vlc-plugin-access-extra (Ubuntu package): before Ubuntu Pro
vlc (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6180-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU49889
Risk: Medium
CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-25803
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the vlc_input_attachment_New component. A remote authenticated attacker can create a specially crafted .avi file, trick the victim into opening it, trigger out-of-bounds read error and cause a denial of service condition on the system.
MitigationUpdate the affected package vlc to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.10
vlc-plugin-access-extra (Ubuntu package): before Ubuntu Pro
vlc (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6180-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Untrusted Pointer Dereference
EUVDB-ID: #VU49891
Risk: Medium
CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-25804
CWE-ID:
CWE-822 - Untrusted Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to untrusted pointer dereference. A remote authenticated attacker can create a specially crafted file, trick the victim into opening it and cause a denial of service condition on the system.
MitigationUpdate the affected package vlc to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.10
vlc-plugin-access-extra (Ubuntu package): before Ubuntu Pro
vlc (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6180-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Buffer overflow
EUVDB-ID: #VU69697
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-41325
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when playing a malicious URL in the vnc module. A remote attacker can trick the victim into opening a specially crafted stream, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package vlc to the latest version.
Vulnerable software versionsUbuntu: 16.04 - 22.10
vlc-plugin-access-extra (Ubuntu package): before Ubuntu Pro
vlc (Ubuntu package): before Ubuntu Pro
External linkshttp://ubuntu.com/security/notices/USN-6180-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
