CVE-2019-13615

Name of the Vulnerable Software and Affected Versions libebml versions prior to 1.3.6 VLC Media Player versions prior to 3.0.3

Description The issue is related to a heap-based buffer over-read in the EbmlElement::FindNextElement function of the libebml library, which is used in the MKV module of the VideoLAN VLC Media Player. This can allow a remote attacker to access protected information, cause a denial of service, or elevate their privileges using a specially crafted video file placed in an MKV container. The problem is caused by a buffer overflow in the code for unpacking the MKV media container.

Recommendations For libebml versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue. For VLC Media Player versions prior to 3.0.3, update to version 3.0.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of MKV containers with specially crafted video files until the issue is resolved.