A Turkish security researcher discovered two vulnerabilities in the library code used by VLC Media Player and other software. The bugs can lead to arbitrary code execution but despite the severity the risk seems somewhat limited as the exploit requires specially crafted FLV or M2V file and most users rarely come into contact with these file types.
The bugs were reported to VLC's developers on December 26, 2014 but the fix hasn't reached the latest stable version of VLC yet.
VLC's developers, Videolan Software, were informed of the flaws on Boxing Day and had not issued fixes for the latest stable version, 2.1.5, by the time of disclosure 9 January. Version 2.2.0-rc2, available to testers, is not vulnerable, according to the VLC project's bug tracker.
The developers have been contacted for comment. Judging by entries in the VLC bug tracker, here and here, the flaws lie within libavcodec, a core component of the video player. This library is also used by MPlayer and other open-source software.