CVE-2017-14223 — Uncontrolled Resource Consumption in Ffmpeg

CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.9%

top 25.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg Debian Linux

Timeline

PublishedSep 9

Latest updateMay 14

Description

In libavformat/asfdec_f.c in FFmpeg 3.3.3, a DoS in asf_build_simple_index() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted ASF file, which claims a large "ict" field in the header but does not contain sufficient backing data, is provided, the for loop would consume huge CPU and memory resources, since there is no EOF check inside the loop.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:3.3.4-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:3.3.4-1+3

▶NVDffmpeg/ffmpeg3.3.3

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fhhh-rhfq-jf53: In libavformat/asfdec_f↗2022-05-14

▶

OSV

CVE-2017-14223: In libavformat/asfdec_f↗2017-09-09

▶

📋Vendor Advisories

Debian

CVE-2017-14223: ffmpeg - In libavformat/asfdec_f.c in FFmpeg 3.3.3, a DoS in asf_build_simple_index() due...↗2017

▶