A new unscheduled corrective release of the media player VLC 3.0.20 has been made available, addressing a potential vulnerability (CVE) that could lead to data leaks from the buffer. This vulnerability occurs during the analysis of improperly designed network packets in the MMSH flows processor, specifically when trying to load content from malicious servers using the URL “MMS://”. The vulnerability has been eliminated in this release. [1]
Aside from addressing the security issue, VLC 3.0.20 also includes several non-security related changes. Notable changes in this release include:
- An elimination of emergency completion on systems with certain versions of AMD GPU drivers.
- A fix for the collapse issue that occurred during an unsuccessful attempt to use the AV1 hardware dender.
- A resolution for the appearance of a green strip during fullscreen playback through D3D11 in Windows.
- A fix for a critical failure that occurred when processing a double click by the mouse wheel.
- A resolution for the issue where the toolbar was lost in fullscreen mode in Windows.
This update provides users with improved security and a better overall user experience. More information on the changes in VLC 3.0.20 can be found on the official VLC news page. [2]
Sources:
[1] Available
[2] Changes