The VideoLAN Forums

As reported here

https://gizmodo.com/you-might-want-to-uninstall-vlc-immediately-1836641101

https://winfuture.de/news,110171.html

https://www.cert-bund.de/advisoryshort/CB-K19-0634

There is mention of a critical security flaw

I checked

https://trac.videolan.org/vlc/ticket/22474

and saw the following comments

Changed 7 hours ago by Francois Cartegnie
If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.

the previous comment is

This does not crash a normal release of VLC 3.0.7.1

Can we get clarification on this since this comes from German security agency CERT-Bund

Thanks

I question why any video player need remote code execution

As reported here

This does not crash a normal release of VLC 3.0.7.1

Can we get clarification on this since this comes from German security agency CERT-Bund

Thanks

You're free to read updates on the ticket which clearly explains the issue.

I question why any video player need remote code execution

(Arbitratry) remote code execution is a flaw where someone is able to write and execute any code in a software through a network trigger. In this case, it would be triggering a write of code payload in an executable area of memory executed by VLC , through buffer write overflow and function pointer call. https://en.wikipedia.org/wiki/Arbitrary_code_execution
Media player like VLC doesn't need RCE, it's a bug when they exists.

Here, even with obsolete dependencies, there is no remote code execution exploit currently.