No, You Don’t Need to Uninstall VLC

On Jul 24, 2019

How to Find Your Direction of Travel Using Google Maps

Jan 21, 2024

How to Use Your Android phone as Computer Speaker on Windows

Jan 19, 2024

“The sky is falling; uninstall VLC right now!” That’s the advice some websites are providing. But the purported VLC flaw is overblown and, according to VLC’s developers, may not even be a real risk.

This commotion all started with the publication of CVE-2019-13615, which is marked as a “critical” vulnerability with a score of 9.8 out of 10. VLC’s developers aren’t happy they weren’t even contacted before the publishing of this flaw.

Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
— VideoLAN (@videolan) July 23, 2019

But it’s bad, right? That’s 9.8 out of 10 as security flaws go, it sounds like an incoming nuclear strike. This flaw could reportedly result in remote code execution, which is bad. Attackers could gain control of your system through a bug in VLC.

As the CVE explains, this flaw requires playing a malformed MKV file. In theory, if you download a malicious MKV file from the web and run it, it could compromise VLC although no one claims this has ever happened in the real world. Also, the macOS version of VLC doesn’t seem to be affected.

So, even if this flaw is as bad is it appears, you just have to be careful about MKV files don’t download untrusted MKV files and play them in VLC until a patch is released. Stay away from MKV if you’re pirating media.

But not so fast! VLC’s developers say they can’t even reproduce the issue, suggesting that there are serious problems with the original exploit report.

Did you even check this?
No one can reproduce this issue here.
— VideoLAN (@videolan) July 23, 2019

At the end of the day, it’s probably a good idea to stay away from downloaded MKV files until VLC patches this flaw. But that’s all you would really need to do, and even that’s being kind of paranoid.

As VLC’s developers explain on the VideoLAN bug tracker:

“Sorry, but this bug is not reproducible and does not crash VLC at all.” -Jean-Baptiste Kempf
“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.” -Francois Cartegnie
“This does not crash a normal release of VLC 3.0.7.1” -Jean-Baptiste Kempf