FFmpeg

FFmpeg ALS Audio Decoder DoS via Improper Memory Allocation
CVE-2025-7700 5.3 - Medium - November 07, 2025

A flaw was found in FFmpegs ALS audio decoder, where it does not properly check for memory allocation failures. This can cause the application to crash when processing certain malformed audio files. While it does not lead to data theft or system control, it can be used to disrupt services and cause a denial of service.

NULL Pointer Dereference

Use-after-free in SANM decoder (pre-8.0) via GetByteContext
CVE-2025-59734 - October 06, 2025

It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion <2. When a STOR chunk is present, a subsequent FOBJ chunk will be saved in ctx->stored_frame. Stored frames can later be referenced by FTCH chunks. For files using subversion < 2, the undecoded frame is stored, and decoded again when the FTCH chunks are parsed. However, in process_frame_obj if the frame has an invalid size, theres an early return, with a value of 0.  This causes the code in decode_frame to still store the raw frame buffer into ctx->stored_frame. Leaving ctx->has_dimensions set to false. A subsequent chunk with type FTCH would call process_ftch and decode that frame obj again, adding to the top/left values and calling process_frame_obj again. Given that we never set ctx->have_dimensions before, this time we set the dimensions, calling init_buffers, which can reallocate the buffer in ctx->stored_frame, freeing the previous one. However, the GetByteContext object gb still holds a reference to the old buffer. Finally, when the code tries to decode the frame, codecs that accept a GetByteContext as a parameter will trigger a use-after-free read when using gb. GetByteContext is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the free and when the object is accessed. However, upon returning to process_ftch, the code restores the original values for top/left in stored_frame, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocators metadata. This issue can be triggered just by probing whether a file has the sanm format. We recommend upgrading to version 8.0 or beyond.

Dangling pointer

OpenEXR <8.0 EXR Decoding DWAA/DWAB Channel Size Assumption Vulner
CVE-2025-59733 - October 06, 2025

When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that all image channels have the same pixel type (and size), and that if there are four channels, the first four are "B", "G", "R" and "A". The channel parsing code can be found in decode_header. The buffer td->uncompressed_data is allocated in decode_block based on the xsize, ysize and computed current_channel_offset. The function dwa_uncompress then assumes at [5] that if there are 4 channels, these are "B", "G", "R" and "A", and in the calculations at [6] and [7] that all channels are of the same type, which matches the type of the main color channels. If we set the main color channels to a 4-byte type and add duplicate or unknown channels of the 2-byte EXR_HALF type, then the addition at [7] will increment the pointer by 4-bytes * xsize * nb_channels, which will exceed the allocated buffer. We recommend upgrading to version 8.0 or beyond.

Memory Corruption

OpenEXR pre-8.0 Buffer Overflow via DWAA/DWAB (CVE-2025-59732)
CVE-2025-59732 - October 06, 2025

When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that the height and width are divisible by 8. If the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8. The buffer td->uncompressed_data is allocated in decode_block based on the precise height and width of the image, so the "rounded-up" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory. We recommend upgrading to version 8.0 or beyond.

Memory Corruption

OpenEXR <8.0 RLE Overflow via Unchecked Length in DWAA/DWAB Decoding
CVE-2025-59731 - October 06, 2025

When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data. We read rle_raw_size from the input file at [0], we decompress and decode into the buffer td->rle_raw_data of size rle_raw_size at [1], and then at [2] we will access entries in this buffer up to (td->xsize - 1) * (td->ysize - 1) + rle_raw_size / 2, which may exceed rle_raw_size. We recommend upgrading to version 8.0 or beyond.

Memory Corruption

Heap Buffer Overflow in SANM Decoder (before 8.0)
CVE-2025-59730 - October 06, 2025

When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it. Frames encoded with codec 48 can specify their resolution (width x height). A buffer of appropriate size is allocated depending on the resolution. This codec can encode the frame contents using a run-length encoding algorithm. There are no checks that the decoded frame fits in the allocated buffer, leading to a heap-buffer-overflow. process_frame_obj initializes the buffers based on the frame resolution: We recommend upgrading to version 8.0 or beyond.

Memory Corruption

Integer underflow in DHAV file parsing (version < 8.0)
CVE-2025-59729 - October 06, 2025

When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer. If we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000. The loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate end_pos based on a 32-bit offset read from the buffer. There is subsequently a check [3] that end_pos is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos is before the start of the file or after the section copied into end_buffer, and not the case where end_pos is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation. We recommend upgrading to version 8.0 or beyond.

Memory Corruption

OOB NUL-byte write in MPEG-DASH manifest parsing (ffmpeg <8.0)
CVE-2025-59728 - October 06, 2025

When calculating the content path in handling of MPEG-DASH manifests, there's an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call xmlNodeGetContent below [0], it returns a buffer precisely allocated to match the string length, using strdup internally. If this buffer is not an empty string, it is assigned to root_url at [1].If the last (non-NUL) byte in this buffer is not '/' then we append '/' in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer. We recommend upgrading to version 8.0 or beyond.

Memory Corruption

FFmpeg 7.1 NUL Deref in iamf_read_header (iamfdec.c)
CVE-2024-55069 - May 02, 2025

ffmpeg 7.1 is vulnerable to Null Pointer Dereference in function iamf_read_header in /libavformat/iamfdec.c.

FFmpeg IAMF File Handler Memory Leak via num_parameters
CVE-2025-1816 4.3 - Medium - March 02, 2025

A vulnerability classified as problematic has been found in FFmpeg up to 6e26f57f672b05e7b8b052007a83aef99dc81ccb. This affects the function audio_element_obu of the file libavformat/iamf_parse.c of the component IAMF File Handler. The manipulation of the argument num_parameters leads to memory leak. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 0526535cd58444dd264e810b2f3348b4d96cff3b. It is recommended to apply a patch to fix this issue.

Improper Resource Shutdown or Release

Stack Overflow in FFmpeg AAC Encoder (ff_aac_search_for_tns) before 7.1
CVE-2025-1594 8.8 - High - February 23, 2025

A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Memory Corruption

FFmpeg AAC Decoder Assertion DoS via Crafted AAC File
CVE-2025-22919 6.5 - Medium - February 18, 2025

A reachable assertion in FFmpeg git-master commit N-113007-g8d24a28d06 allows attackers to cause a Denial of Service (DoS) via opening a crafted AAC file.

assertion failure

FFmpeg NULL ptr deref via libavformat/mov.c
CVE-2025-25471 - February 18, 2025

FFmpeg git master before commit fd1772 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c.

FFmpeg NULL Pointer Deref in libavformat/mov.c
CVE-2025-25473 - February 18, 2025

FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c.

FFmpeg JPEG2000 Dec CVE-2025-22921 Segmentation Fault
CVE-2025-22921 6.5 - Medium - February 18, 2025

FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.

NULL Pointer Dereference

FFmpeg libavutil/mem.c Memory Leak in git-master before commit d5873b
CVE-2025-25468 - February 18, 2025

FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c.

Memory leak in FFmpeg libavutil/iamf.c (CVE-2025-25469)
CVE-2025-25469 - February 18, 2025

FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c.

FFmpeg MOV Parser NPD before v7.1
CVE-2025-1373 5.5 - Medium - February 17, 2025

A vulnerability was found in FFmpeg up to 7.1. It has been rated as problematic. Affected by this issue is the function mov_read_trak of the file libavformat/mov.c of the component MOV Parser. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The patch is identified as 43be8d07281caca2e88bfd8ee2333633e1fb1a13. It is recommended to apply a patch to fix this issue.

NULL Pointer Dereference

FFmpeg Frame Packet Memory Corruption
CVE-2024-38413 7.8 - High - February 03, 2025

Memory corruption while processing frame packets.

Memory Corruption

FFmpeg 7.1 - OOB Read in af_pan.c (Unchecked Return Value)
CVE-2025-0518 - January 16, 2025

Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed:  https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman

Unchecked Return Value

FFmpeg HLS Demuxer Extension Bypass via Data URIs
CVE-2023-6601 - January 06, 2025

A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.

FFmpeg XBIN Demuxer DoS Vulnerability
CVE-2023-6604 - January 06, 2025

A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.

FFmpeg fails to sanitize URLs in DASH .m3u8, enabling server-initiated HTTP GET
CVE-2023-6605 - January 06, 2025

A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.

FFmpeg n6.1.1 DXA Demuxer Int Overflow, DoS risk
CVE-2024-36613 - January 03, 2025

FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior.

Double-Free in FFmpeg n6.1.1 (fftools/ffmpeg_mux_init.c)
CVE-2024-35365 - January 03, 2025

FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function.

Data Exfiltration via TTY Demuxer Parsing in FFmpeg
CVE-2023-6602 5.3 - Medium - December 31, 2024

A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists.

Insecure Direct Object Reference

FFmpeg HLS playlist parsing null ptr deref DDoS
CVE-2023-6603 7.5 - High - December 31, 2024

A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.

NULL Pointer Dereference

FFmpeg n7.0 Double Free in libavcodec/rkmppdec.rkmpp_retrieve_frame
CVE-2024-35368 9.8 - Critical - November 29, 2024

FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.

Double-free

FFmpeg 6.1.1 OOB Read in libavcodec/vp8dsp_altivec.c
CVE-2024-35367 9.1 - Critical - November 29, 2024

FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer

Out-of-bounds Read

FFmpeg 6.1.1 Integer Overflow libavformat sbgdec.c
CVE-2024-35366 - November 29, 2024

FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.

Integer Overflow in FFmpeg 6.1.1 Westwood VQA component causing DoS
CVE-2024-36616 - November 29, 2024

An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file.

FFmpeg VP9 decoder race in n7.0
CVE-2024-36615 - November 29, 2024

FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.

FFmpeg AVI Demuxer Integer Overflow Vulnerability
CVE-2024-36618 6.2 - Medium - November 29, 2024

FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.

Integer Overflow or Wraparound

FFmpeg CAF Decoder Integer Overflow Vulnerability
CVE-2024-36617 - November 29, 2024

FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.

FFmpeg libavcodec WAVARC Decoder Integer Overflow Vulnerability
CVE-2024-36619 - November 29, 2024

FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition.

FFmpeg Speex Codec Extradata Integer Overflow Vulnerability
CVE-2024-35369 - November 29, 2024

In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.

FFmpeg libswresample heap overflow (<=5.1.5) fixed in 5.1.6/6.0
CVE-2024-7272 8.8 - High - August 12, 2024

A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5. This affects the function fill_audiodata of the file /libswresample/swresample.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. This issue was fixed in version 6.0 by 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 but a backport for 5.1 was forgotten. The exploit has been disclosed to the public and may be used. Upgrading to version 5.1.6 and 6.0 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 is able to address this issue. It is recommended to upgrade the affected component.

Memory Corruption

FFmpeg 7.0.1 pnm_decode_frame Heap Overflow CVE-2024-7055
CVE-2024-7055 6.3 - Medium - August 06, 2024

A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.

Heap-based Buffer Overflow

FFmpeg 7.0 Buffer Overflow via Negative Size in mpegvideo_enc
CVE-2024-32230 7.8 - High - July 01, 2024

FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0

Classic Buffer Overflow

FF 7.0 Heap Overflow in libavfilter/vf_tiltandshift
CVE-2024-32229 - July 01, 2024

FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_tiltandshift.c:189:5 in copy_column.

FFmpeg 7.0 Buffer Overflow in libavcodec.hevc_frame_end
CVE-2024-32228 - July 01, 2024

FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end.

FFmpeg: Info Leak on MP2 Parsing with Bad Section Length
CVE-2023-43555 7.5 - High - June 03, 2024

Information disclosure in Video while parsing mp2 clip with invalid section length.

Out-of-bounds Read

FFmpeg Buffer Overflow (af_stereowiden.c) Enables Local Code Exec
CVE-2023-51794 - April 26, 2024

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/af_stereowiden.c:120:69.

Buffer Overflow in FFmpeg showspectrumpic_request_frame (libavfilter)
CVE-2023-51795 8 - High - April 19, 2024

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/avf_showspectrum.c:1789:52 component in showspectrumpic_request_frame

Heap-based Buffer Overflow

ffmpeg Buffer Overflow via libavfilter/f_reverse.c leads to local code exec
CVE-2023-51796 3.6 - Low - April 19, 2024

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/f_reverse.c:269:26 in areverse_request_frame.

Classic Buffer Overflow

FFmpeg libavfilter buf overflow local exec via showwaves_filter_frame
CVE-2023-51797 6.7 - Medium - April 19, 2024

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/avf_showwaves.c:722:24 in showwaves_filter_frame

Code Injection

FFmpeg VF_MINTERPOLATE Buffer Overflow via FPE
CVE-2023-51798 7.8 - High - April 19, 2024

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate.

Classic Buffer Overflow

FFmpeg Buffer Overflow in image_copy_plane allows RCE
CVE-2023-51793 7.8 - High - April 19, 2024

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.

Classic Buffer Overflow

FFmpeg Buffer Overflow in libavcodec/jpegxl_parser.c
CVE-2023-51791 7.8 - High - April 19, 2024

Buffer Overflow vulenrability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavcodec/jpegxl_parser.c in gen_alias_map.

Out-of-bounds Read

FFmpeg v.n6.1-3-g466799d4f5 Heap Buffer Overflow in ff_gaussian_blur_8
CVE-2023-50009 - April 19, 2024

FFmpeg v.n6.1-3-g466799d4f5 allows a heap-based buffer overflow via the ff_gaussian_blur_8 function in libavfilter/edge_template.c:116:5 component.