CVE-2009-4637
published 2010-02-10CVE-2009-4637: FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.04%
96.7th percentile
FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ffmpeg | < ffmpeg 4:0.5+svn20090706-3 (bookworm) | ffmpeg 4:0.5+svn20090706-3 (bookworm) |
| ffmpeg | ffmpeg | — | — |
| ffmpeg | ffmpeg | >= 0 < 4:0.5+svn20090706-3 | 4:0.5+svn20090706-3 |
| ffmpeg | ffmpeg | >= 0 < 4:0.5+svn20090706-3 | 4:0.5+svn20090706-3 |
| ffmpeg | ffmpeg | >= 0 < 4:0.5+svn20090706-3 | 4:0.5+svn20090706-3 |
| ffmpeg | ffmpeg | >= 0 < 4:0.5+svn20090706-3 | 4:0.5+svn20090706-3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target application is FFmpeg version 0.5; presence of this version in an environment indicates exposure to a remotely-triggerable stack-based buffer overflow leading to crash or code execution. ↗
- →Monitor for unexpected crashes or abnormal process termination in FFmpeg 0.5 processes when processing remote/untrusted media input, as exploitation manifests as a crash or arbitrary code execution. ↗
- ·The vulnerability vectors are unspecified ('unknown vectors'); no specific file format, codec, or network protocol trigger has been publicly documented, limiting precise detection rule creation. ↗
- ·Debian fixed this in package version 4:0.5+svn20090706-3; environments running older Debian FFmpeg packages remain vulnerable. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
FFmpeg vulnerabilities
vendor_ubuntu·2010-04-19
CVE-2009-4632 FFmpeg vulnerabilities
Title: FFmpeg vulnerabilities
Summary: FFmpeg vulnerabilities
It was discovered that FFmpeg contained multiple security issues when
handling certain multimedia files. If a user were tricked into opening a
crafted multimedia file, an attacker could cause a denial of service via
application crash, or possibly execute arbitrary code with the privileges
of the user invoking the program.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Debian
CVE-2009-4637: ffmpeg - FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and poss...
vendor_debian·2009·CVSS 10.0
CVE-2009-4637 [CRITICAL] CVE-2009-4637: ffmpeg - FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and poss...
FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 4:0.5+svn20090706-3)
bullseye: resolved (fixed in 4:0.5+svn20090706-3)
forky: resolved (fixed in 4:0.5+svn20090706-3)
sid: resolved (fixed in 4:0.5+svn20090706-3)
trixie: resolved (fixed in 4:0.5+svn20090706-3)
GHSA
GHSA-v8f9-pj55-fp23: FFmpeg 0
ghsa_unreviewed·2022-05-02
CVE-2009-4637 [HIGH] CWE-119 GHSA-v8f9-pj55-fp23: FFmpeg 0
FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow.
OSV
CVE-2009-4637: FFmpeg 0
osv·2010-02-10·CVSS 10.0
CVE-2009-4637 [CRITICAL] CVE-2009-4637: FFmpeg 0
FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow.
No detection rules found.
No writeups or analysis indexed.
http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.htmlhttp://secunia.com/advisories/36805http://secunia.com/advisories/38643http://secunia.com/advisories/39482http://www.debian.org/security/2010/dsa-2000http://www.securityfocus.com/bid/36465http://www.ubuntu.com/usn/USN-931-1http://www.vupen.com/english/advisories/2010/0935https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240http://scarybeastsecurity.blogspot.com/2009/09/patching-ffmpeg-into-shape.htmlhttp://secunia.com/advisories/36805http://secunia.com/advisories/38643http://secunia.com/advisories/39482http://www.debian.org/security/2010/dsa-2000http://www.securityfocus.com/bid/36465http://www.ubuntu.com/usn/USN-931-1http://www.vupen.com/english/advisories/2010/0935https://roundup.ffmpeg.org/roundup/ffmpeg/issue1240
2010-02-10
Published