VLC media player has been traced with a vulnerability that could allow malicious actors to crash the program or even execute arbitrary code.
The vulnerability tracked as CVE-2024-46461, with a CVSS score of 8.0, stems from a potential integer overflow that can be triggered when VLC processes a maliciously crafted MMS stream. While the most likely outcome is a crash, security experts warn that in combination with other vulnerabilities, this flaw could lead to information leaks or remote code execution.
This flaw would likely to just crash the player, we can’t exclude that they could be combined to leak user information’s or remotely execute code. ASLR and DEP help reduce the likeliness of code execution but may be bypassed.
For exploiting CVE-2024-46461 requires specific actions from the user. The attack is only triggered when the victim explicitly opens a maliciously crafted MMS stream. Users are advised to avoid opening MMS streams from untrusted sources until they can apply the latest security patch. For those who use VLC browser plugins, disabling these features temporarily can also reduce the attack surface.
Update the VLC media player to version 3.0.21 or later to remain safe.
