Platforms affected:

  • OSMC for Raspberry Pi (all models)
  • OSMC for Apple TV
  • OSMC for Vero (all models)

A vulnerability [1] which could allow remote code execution when downloading subtitles from a remote server has been identified in Kodi. This vulnerability is considered critical.

This vulnerability has been fixed in Kodi and we have now included this in OSMC for all supported platforms.

We recommend you update your device immediately. This can be done by going to My OSMC -> Updates -> Check for Updates. After updating, your system should report OSMC 2017.04-2 as the version in My OSMC.

Although OSMC has a monthly update cycle, OSMC makes critical bug fixes and fixes for security vulnerabilities immediately available. You can learn more about OSMC's update cycle and about keeping your system up to date here.

We plan to release our May update this Sunday, with a variety of performance improvements, feature improvements and bug fixes. However we did not want to wait until this time to release an important security fix.

OSMC would like to thank the Check Point Research Team for responsible disclosure of the vulnerability.

[1] CVE-2016-2118