VLC video player has gaping security hole and there's no fix available
The Germans have discovered that the latest stable 18.104.22.168 version of the VideoLAN media player has a head-based buffer over-read in the demux code for mkv containers. Simply opening a carefully crafted video file using the mkv container is enough to have evil code executed on the system. The vulnerability affects both GNU/Linux and Windows machines.
Concretely, the function mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp will read more data into memory than it should when it is called from mkv::Open in modules/demux/mkv/mkv.cpp. VLC will detect the demuxer even if the file extension is wrong so a specially crafted mkv file could be named exploit.mp4.
German CERT-Bund describes the risk as "hoch". The vulnerability is assigned CVE number 2019-13615.
While the Germans are in theory right when they claim the risk is "hoch" it's in practice near-zero. Someone could go through the trouble of creating a specially crafted .mkv file just for you and attempt to social engineer you into opening it if you are a high value target. The odds of randomly encountering such a specially crafted file which works on your machine is low. Then there is the issue of compatibility. Both GNU/Linux and Windows versions of VLC are vulnerable but Windows exploit code will not work on GNU/Linux and vice versa.
You may want to use mpv instead of VLC for the time being if you consider yourself a high-value target. If the excitement of opening potentially dangerous video files in VLC until a fixed version is released is worth the risk or not is a very personal choice.