CVE-2011-2160 — Improper Input Validation in Ffmpeg

CWE-20 — Improper Input Validation4 documents4 sources

Severity

9.3CRITICALNVD

OSV6.8

EPSS

0.8%

top 26.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedMay 20

Latest updateMay 17

Description

The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in MPlayer and other products, does not properly restrict read operations, which allows remote attackers to have an unspecified impact via a crafted VC-1 file, a related issue to CVE-2011-0723.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:2.4.1-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:2.4.1-1+3

▶NVDffmpeg/ffmpeg0.5.3+17

🔴Vulnerability Details

GHSA

GHSA-xcpc-jvcx-3fxc: The VC-1 decoding functionality in FFmpeg before 0↗2022-05-17

▶

OSV

CVE-2011-2160: The VC-1 decoding functionality in FFmpeg before 0↗2011-05-20

▶

📋Vendor Advisories

Debian

CVE-2011-2160: ffmpeg - The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in MPlayer and o...↗2011

▶