CVE-2017-8906 — Integer Underflow (Wrap or Wraparound) in X265 High Efficiency Video Coding

CWE-191 — Integer Underflow (Wrap or Wraparound)8 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 49.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Multicorewareinc X265 High Efficiency Video Coding Multicorewareinc X265 Debian X265

Timeline

PublishedMay 11

Latest updateMay 17

Description

An integer underflow vulnerability exists in pixel-a.asm, the x86 assembly code for planeClipAndMax() in MulticoreWare x265 through 2.4, as used by the x265_encoder_encode dependency in libbpg and other products. A small picture can cause an integer underflow, which leads to a Denial of Service in the process of encoding.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDmulticorewareinc/x265_high_efficiency_video_coding2.4

▶NVDmulticorewareinc/x26526 versions+25

▶debiandebian/x265

Patches

Patch: bitbucket.org ↗Patch: bitbucket.org ↗

🔴Vulnerability Details

GHSA

GHSA-rvv7-6w95-x7c7: An integer underflow vulnerability exists in pixel-a↗2022-05-17

▶

GHSA

GHSA-9g24-5f9c-j34j: An integer underflow vulnerability exists in pixel-a↗2022-05-13

▶

OSV

CVE-2017-13666: An integer underflow vulnerability exists in pixel-a↗2017-08-24

▶

OSV

CVE-2017-8906: An integer underflow vulnerability exists in pixel-a↗2017-05-11

▶

📋Vendor Advisories

Debian

CVE-2017-13666: x265 - An integer underflow vulnerability exists in pixel-a.asm, the x86 assembly code ...↗2017

▶

Debian

CVE-2017-8906: x265 - An integer underflow vulnerability exists in pixel-a.asm, the x86 assembly code ...↗2017

▶