VLC said that the RCE vulnerability is incorrect and does not affect user security
Earlier, we mentioned that security agencies issued warnings that high-risk vulnerabilities in the well-known open-source media player VLC affect hundreds of millions of users around the world. The organization that issued this warning was the German Federal Computer Emergency Response Center. Therefore, many news media released warning messages after the news was released. The warning message is that VLC’s high-risk vulnerabilities can lead to remote code execution, information leakage, and service interruption. Users are advised to temporarily disable the VLC player.
About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.Thread:
— VideoLAN (@videolan) July 24, 2019
Given that the vulnerability is extremely dangerous and VLC officials have not yet released a new version to fix it, many users who use the player have also confirmed concerns about security. However, VLC officially posted a message on Twitter that the vulnerability exists but it is actually a third-party library problem. This software library is mainly used to parse .EBML files. At present, the vulnerability of this software library has been fixed, and this vulnerability has not caused serious harm and will not affect the security of users.
The VLC team even accused the German Federal Computer Emergency Response Center of not contacting the team before issuing an alert, without verifying the actual information.