No, You Don't Need to Uninstall VLC

4 min read Original article ↗
img_5d3787f773eb5

Chris Hoffman is a former How-To Geek Editor-in-Chief. Since 2011, Chris has personally written over 2,000 articles that have been read more than one billion times---and that's just here at How-To Geek.


With over a decade of writing experience in the field of technology, Chris has written for a variety of publications including The New York Times, Reader's Digest, IDG's PCWorldDigital Trends, and MakeUseOf. Beyond the web, his work has appeared in the print edition of The New York Times (September 9, 2019) and in PCWorld's print magazines, specifically in the August 2013 and July 2013 editions, where his story was on the cover. He also wrote the USA's most-saved article of 2021, according to Pocket.


Chris was a PCWorld columnist for two years. He founded PCWorld's "World Beyond Windows" column, which covered the latest developments in open-source operating systems like Linux and Chrome OS. Beyond the column, he wrote about everything from Windows to tech travel tips.


The news he's broken has been covered by outlets like the BBCThe VergeSlateGizmodoEngadgetTechCrunchDigital TrendsZDNetThe Next Web, and Techmeme. Instructional tutorials he's written have been linked to by organizations like The New York TimesWirecutterLifehackerCNETArs Technica, and John Gruber's Daring Fireball. His roundups of new features in Windows 10 updates have been called "the most detailed, useful Windows version previews of anyone on the web" and covered by prominent Windows journalists like Paul Thurrott and Mary Jo Foley on TWiT's Windows Weekly. His work has even appeared on the front page of Reddit.

Sign in to your How-To Geek account

"The sky is falling; uninstall VLC right now!" That's the advice some websites are providing. But the purported VLC flaw is overblown---and, according to VLC's developers, may not even be a real risk.This commotion all started with the publication of CVE-2019-13615, which is marked as a "critical" vulnerability with a score of 9.8 out of 10. VLC's developers aren't happy they weren't even contacted before the publishing of this flaw.

But it's bad, right? That's 9.8 out of 10---as security flaws go, it sounds like an incoming nuclear strike. This flaw could reportedly result in remote code execution, which is bad. Attackers could gain control of your system through a bug in VLC.

As the CVE explains, this flaw requires playing a malformed MKV file. In theory, if you download a malicious MKV file from the web and run it, it could compromise VLC---although no one claims this has ever happened in the real world. Also, the macOS version of VLC doesn't seem to be affected.

So, even if this flaw is as bad is it appears, you just have to be careful about MKV files---don't download untrusted MKV files and play them in VLC until a patch is released. Stay away from MKV if you're pirating media.

But not so fast! VLC's developers say they can't even reproduce the issue, suggesting that there are serious problems with the original exploit report.

At the end of the day, it's probably a good idea to stay away from downloaded MKV files until VLC patches this flaw. But that's all you would really need to do, and even that's being kind of paranoid.

As VLC's developers explain on the VideoLAN bug tracker:

"Sorry, but this bug is not reproducible and does not crash VLC at all." -Jean-Baptiste Kempf

"If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources." -Francois Cartegnie

"This does not crash a normal release of VLC 3.0.7.1" -Jean-Baptiste Kempf

Update: Here's VideoLAN's more lengthy response. According to the developers, there isn't a flaw in the current VLC software at all.