CVE-2011-3952 — Improper Input Validation in Ffmpeg

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

1.0%

top 23.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg Libav

Timeline

PublishedAug 20

Latest updateMay 14

Description

The decode_init function in kmvc.c in libavcodec in FFmpeg before 0.10 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large palette size in a KMVC encoded file.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶debiandebian/ffmpeg< ffmpeg 7:2.4.1-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:2.4.1-1+3

▶NVDffmpeg/ffmpeg0.9.1+42

▶NVDlibav/libav15 versions+14

🔴Vulnerability Details

GHSA

GHSA-q8mw-vrp6-fqq8: The decode_init function in kmvc↗2022-05-14

▶

OSV

CVE-2011-3952: The decode_init function in kmvc↗2012-08-20

▶

📋Vendor Advisories

Ubuntu

FFmpeg vulnerabilities↗2012-06-18

▶

Ubuntu

Libav vulnerabilities↗2012-06-18

▶

Debian

CVE-2011-3952: ffmpeg - The decode_init function in kmvc.c in libavcodec in FFmpeg before 0.10 and in Li...↗2011

▶