The Open Source Technology Improvement Fund is proud to share the results of our security audit of LibVLC. LibVLC is the open source core engine and foundation of VLC media player. With auditing by Trail of Bits and funding provided by the Sovereign Tech Agency, LibVLC received scoped security work, custom tools and fixes, and documentation for future security development.
Audit Process:
This security work took place during late Q1 in 2025 for a duration of 5 engineer-weeks. Due to the complex and modular nature of LibVLC, time was a limiting factor of scope which included the project library and API components. The source code was reviewed manually and with dynamic testing for security correctness, and the resulting report details security observations and recommendations for future efforts. Additional fuzzing documentation and harnesses were contributed to the project, and patches submitted time permitting for findings resulting from this audit.
Audit Results:
- 24 findings with security impact
- Fuzz testing improvements and recommendations
- Fuzz harnesses for libVLC APIs
- Future security improvement recommendations
VLC is a widely used and popular open source software, with over 132,000,000 downloads and counting. Due to its ability to run on any platform, desktop, or mobile device, exploitation of a vulnerability in the project would be wide-spread. Preemptive work such as security audits can help prevent those security issues from ever becoming exploitable. Additionally, custom fuzzers help project security long-term, automating continuous testing and reporting issues directly to the maintainers. Documentation about projects helps educate maintainers and further inform users about the code they are using, creating provenance for a project over time that contributes information for future work efforts. With ongoing development happening at the project, issues like #1 in the report (“Weak public key in self-update signature”) and more will be addressed in VLC 3.0 release.
Open source projects depend on volunteer efforts to help them develop and mature. If you would like to contribute to LibVLC, visit the Contributor page on their website: https://www.videolan.org/contribute.html
Thank you to the individuals and groups that made this engagement possible:
- libVLC maintainers and community, especially Jean-Baptiste Kempf for their feedback and help
- Trail of Bits, especially: William Woodruff, Facundo Tuesca, Travis Peters, and Amanda Stickler
- Sovereign Tech Agency
(PDF WARNING)
You can read the Audit Report HERE
View the Audit Report on Trail of Bit’s Github repository HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to [email protected].
Read about previous OSTIF-Sovereign Tech Agency audits via our 2025 Report