Discovery of a Major Vulnerability in VLC's Online Streaming Library

Buzz

Ngày cập nhật gần nhất: 15/4/2026

Security researchers have uncovered a serious vulnerability in VLC's online streaming library and several other media players, including MPlayer and other streaming devices. Specifically, this loophole executes serious code within the LIVE555 online streaming library.

Developed and maintained by Live Networks, the LIVE555 online media streaming library consists of a collection of C++ libraries for companies and application developers using multimedia streaming based on open standard protocols such as RTP/RTCP, RTSP, or SIP.

Discovery of a Critical Vulnerability in VLC's Online Streaming Library

The LIVE555 online multimedia streaming library supports streaming, receiving, and processing various video formats such as MPEG, H.265, H.264, H.263+, VP8, DV, JPEG, and some audio codecs like MPEG, AAC, AMR, AC-3, and Vorbis.

According to Thehackernews, the vulnerable library is used in most popular media players like VLC and MPlayer, exposing information of millions of users to cyber attacks.

The code execution vulnerability is identified as CVE-2018-4013 and was discovered by researcher Lilith Wyatt of Cisco Talos Intelligence Group. Specifically, the vulnerability lies in the Live555 RTSP's HTTP packet parsing function, analyzing HTTP headers for RTSP tunneling through HTTP.

According to the security advisor at Cisco Talos: 'Specially crafted packets can cause a buffer overflow, leading to code execution.' 'An attacker could send a packet to trigger this vulnerability.'

To exploit the vulnerability, attackers simply need to create and send a packet containing multiple strings like 'Accept:' or 'x-sessioncookie' to the vulnerable application, triggering a buffer overflow in the 'lookForHeader' function, leading to arbitrary code execution.

The Cisco Talos research team also confirmed the vulnerability's susceptibility in the Live Networks LIVE555 Media Server in version 0.92, suggesting that the security flaw may also exist in previous versions.

Cisco Talos reported the vulnerability to Live Networks on October 10 and officially disclosed it on October 18, after the provider released a security patch for users on October 17.

VLC is currently supported on iOS and Android devices. You can download the app using the links below.

- Get VLC for Android
- Get VLC for iPhone

Now, Google Broad supports simplified setup options by pressing the G icon in the GBoard app on their Android or iOS devices. Users can quickly configure settings without the hassle of previous complex procedures.

Mytour's content is for customer care and travel encouragement only, and we are not responsible.

For errors or inappropriate content, please contact us at: [email protected]