Vulnerability DatabaseCVE-2021-25804

CVE-2021-25804:
VLC media player vulnerability analysis and mitigation

Overview

A NULL-pointer dereference vulnerability was discovered in the 'Open' function within avi.c of VideoLAN VLC Media Player 3.0.11. This security flaw was assigned CVE-2021-25804 and was reported by Zhen Zhou from NSFOCUS Security Team (VLC Commit).

Technical details

The vulnerability stems from an invalid dereference where the stored track index might not match the one at parsing time when processing AVI video files (VLC Commit). This issue affects the AVI demuxer component of VLC Media Player version 3.0.11.

Impact

When exploited, this vulnerability can lead to a denial of service (DoS) condition in the application. If a user is tricked into opening a crafted AVI video file, a remote attacker could potentially cause VLC to crash (Ubuntu Notice).

Mitigation and workarounds

The vulnerability has been fixed in subsequent releases of VLC Media Player. Various Linux distributions have released security updates to address this issue: Ubuntu has released updates for multiple versions, Debian has fixed the issue in versions 3.0.21-0+deb11u1 for bullseye and 3.0.21-0+deb12u1 for bookworm (Debian Tracker).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

7.5

Score

Published July 26, 2021

Severity HIGH

CNA Score N/A

Affected Technologies

VLC media player

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 76.4

Exploitation Probability (EPSS) 1

Affected packages and libraries

vlc
cpe:2.3:a:videolan:vlc_media_player

Sources

Debian Security Tracker
- Debian 9, 10, 11, 12 Severity HIGHHas FixAdded at: Nov 23, 2021
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Ubuntu Security Tracker
- Ubuntu 16.04 Severity LOWHas FixAdded at: Nov 13, 2023
- Ubuntu 18.04, 20.04 Severity LOWHas FixAdded at: Jun 20, 2023
NVD
- Linux Severity HIGHHas FixAdded at: Nov 23, 2021
- Windows Severity HIGHHas FixAdded at: Nov 23, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related VLC media player vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2023-47359	CRITICAL	9.8	VLC media player	cpe:2.3:a:videolan:vlc_media_player	No	Yes	Nov 07, 2023
CVE-2024-46461	HIGH	8	VLC media player	vlc	No	Yes	Sep 25, 2024
CVE-2023-46814	HIGH	7.8	VLC media player	cpe:2.3:a:videolan:vlc_media_player	No	Yes	Nov 22, 2023
CVE-2022-41325	HIGH	7.8	VLC media player	cpe:2.3:a:videolan:vlc_media_player	No	Yes	Dec 06, 2022
CVE-2023-47360	HIGH	7.5	VLC media player	cpe:2.3:a:videolan:vlc_media_player	No	Yes	Nov 07, 2023

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-25804: VLC media player vulnerability analysis and mitigation