'Critical' vulnerability discovered in VLC on Linux and Windows -- but VideoLAN says it is not reproducible

Reports have emerged of a security bug in the Windows and Linux versions of VLC, making it vulnerable to remote-code execution via malicious videos. But although German and American security experts have branded the flaw as "critical", VLC-maker VideoLAN is downplaying things.

In fact, more than downplaying the vulnerability, VideoLAN is flat-out denying that it exists, with the software developer dismissing it as "fake news". [UPDATE: the vulnerability has now been pretty much debunked]

The alleged vulnerability has been assigned a 9.8 critical score on NIST and a similar warning has been issued by CERT. The flaw supposedly means that malicious MKV files could be used to compromise VLC. There's just one problem: no proof.

A ticket about the security flaw was opened four weeks ago on the VideoLAN website, and lead developer Jean-Baptiste Kempf has now responded to this saying: "Sorry, but this bug is not reproducible and does not crash VLC at all".

Francois Cartegnie from VideoLAN warns:

If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.

On Twitter, VideoLAN lashed out at the CVE team and MITRE that shared news of the vulnerability:

Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly...

— VideoLAN (@videolan) July 23, 2019

Whether you choose to believe the security experts or VideoLAN is up to you, but as VLC is such a big name it seems unlikely that bugs would not be fully investigated by developers. Keep an eye open for updates, but there's probably little need to panic in the meantime.