CVE-2018-1999010 — Out-of-bounds Read in Ffmpeg

CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 35.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg Debian Linux

Timeline

PublishedJul 23

Latest updateMay 14

Description

FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in cced03dd667a5df6df8fd40d8de0bff477ee02e8 and later.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDffmpeg/ffmpeg< 3.4.3

▶debiandebian/ffmpeg< ffmpeg 7:4.0.2-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:4.0.2-1+3

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-463v-8hm6-rvhp: FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can resul↗2022-05-14

▶

OSV

CVE-2018-1999010: FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can resul↗2018-07-23

▶

📋Vendor Advisories

Debian

CVE-2018-1999010: ffmpeg - FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple ...↗2018

▶