The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post.
"This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code."
He said both were high severity holes.
VLC's developers, Videolan Software, were informed of the flaws on Boxing Day and had not issued fixes for the latest stable version, 2.1.5, by the time of disclosure 9 January. Version 2.2.0-rc2, available to testers, is not vulnerable, according to the VLC project's bug tracker.
The developers have been contacted for comment. Judging by entries in the VLC bug tracker, here and here, the flaws lie within libavcodec, a core component of the video player. This library is also used by MPlayer and other open-source software.
Videolan Software claims to have clocked up millions of downloads for Windows and Mac operating systems alone across various versions and more than 1.5 billion downloads in total.