

ASLR and DEP help reduce the likelyness of code execution, but may be bypassed. While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

The affected code was only used by macOS/iOS hardware accelerated decoder (VideoToolbox), meaning other platforms are unaffected. Summary : Multiple vulnerabilities fixed in VLC media playerĪffected versions : VLC media player 3.0.10 and earlierĪ remote user could create a specifically crafted file that could trigger a buffer overflow in VLC's H26X packetizer Impact
