CVE-2015-8365 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Ffmpeg

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.5%

top 32.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg Canonical Ubuntu Linux

Timeline

PublishedNov 26

Latest updateMay 17

Description

The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:2.8.3-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:2.8.3-1+3

▶NVDffmpeg/ffmpeg7 versions+6

Also affects: Ubuntu Linux 12.04

🔴Vulnerability Details

GHSA

GHSA-vpmr-xj5g-v4mf: The smka_decode_frame function in libavcodec/smacker↗2022-05-17

▶

OSV

CVE-2015-8365: The smka_decode_frame function in libavcodec/smacker↗2015-11-26

▶

📋Vendor Advisories

Ubuntu

Libav vulnerabilities↗2016-04-04

▶

Debian

CVE-2015-8365: ffmpeg - The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2...↗2015

▶