Alleged critical VLC flaw is nothing to worry about -- and is nothing to do with VLC

There has been a degree of confusion over the last few days after news spread of a supposed vulnerability in the media player VLC. Despite being labelled by security experts as "critical", VLC's developers, VideoLAN, denied there was a problem at all.

And they were right. While there is a vulnerability, it was in a third-party library, not VLC itself. On top of this, it is nowhere near as severe as first suggested. Oh -- and it was fixed over a year ago. An older version of Ubuntu Linux was to blame for the confusion.

See also:

• 'Critical' vulnerability discovered in VLC on Linux and Windows -- but VideoLAN says it is not reproducible

The problem actually exists in a third-party library called libebml, and the issue was addressed some time ago. The upshot is that if you have updated VLC within the last year, there is no risk whatsoever. VLC's developers are understandably upset at the suggestion that their software was insecure.

Over on Twitter, VideoLAN criticized MITRE for spreading worrying news without checking its veracity:

About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.

Thread:

— VideoLAN (@videolan) July 24, 2019

NIST has now downgraded its vulnerability rating from Critical with a rating of 9.8, to Medium with a rating of 5.5.

So how did the belief that VLC was vulnerable spring up? It seems that the person who reported the vulnerability was using Ubuntu 18.04 which includes an older, unpatched version of the libebml library.

As long as you have VLC 3.0.3 or newer installed, you're safe. Panic over.