CVE-2023-46814: 
VLC media player vulnerability analysis and mitigation

A binary hijacking vulnerability (CVE-2023-46814) was discovered in VideoLAN VLC media player versions before 3.0.19 on Windows systems. The vulnerability was reported by the Lockheed Martin Red Team and disclosed in November 2023. The issue specifically affects the uninstaller component of VLC media player, which attempts to execute code with elevated privileges from a standard user-writable location (VLC Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-427 (Uncontrolled Search Path Element). The vulnerability exists in the uninstaller component which executes code with elevated privileges from a location that can be written to by standard users (NVD).

If successfully exploited, this vulnerability allows standard users to gain arbitrary code execution with SYSTEM privileges during the uninstallation process. This represents a significant privilege escalation opportunity that could lead to complete system compromise (VLC Advisory, NVD).

The vulnerability has been fixed in VLC media player version 3.0.19. Until users can update to this version or later, the recommended workaround is to keep VLC installed and avoid using the uninstaller. The permanent solution is to upgrade to VLC version 3.0.19 or later (VLC Advisory).