VLC Media Player < 2.1.5 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9265
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote host contains a media application that is affected by two memory corruption vulnerabilities.


The remote host is running VLC 2.x prior to 2.1.5 and is affected by multiple vulnerabilities :

- An error exists in the 'png_push_read_chunk()' function within the file 'pngpread.c' from the included libpng library that can allow denial of service attacks. (CVE-2014-0333)
- A buffer overflow error exists in the 'read_server_hello()' function within the file 'lib/gnutls_handshake.c' from the included GnuTLS library that can allow arbitrary code execution or denial of service. (CVE-2014-3466)
- A heap-based buffer overflow error exists in the transcode module due to improper validation of user-supplied input when handling invalid channel counts. An attacker can exploit this to execute arbitrary code. (CVE-2014-6440)


Upgrade to VLC Media Player version 2.1.5 or later.

See Also



Plugin Details

Severity: Medium

ID: 9265

Family: Web Clients

Published: 3/22/2015

Updated: 3/6/2019

Dependencies: 9797

Nessus ID: 78626

Risk Information


Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C


Risk Factor: Medium

Base Score: 5.6

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:videolan:vlc_media_player:*:*:*:*:*:*:*:*

Patch Publication Date: 1/20/2015

Vulnerability Publication Date: 1/20/2015

Reference Information

CVE: CVE-2014-0333, CVE-2014-3466, CVE-2014-6440

BID: 65776, 67741, 72950