CVE-2018-1999015 — Out-of-bounds Read in Ffmpeg

CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 40.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedJul 23

Latest updateMay 14

Description

FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains an out of array read vulnerability in ASF_F format demuxer that can result in heap memory reading. This attack appear to be exploitable via specially crafted ASF file that has to provided as input. This vulnerability appears to have been fixed in 5aba5b89d0b1d73164d3b81764828bb8b20ff32a and later.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:4.0.2-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:4.0.2-1+3

▶NVDffmpeg/ffmpeg4.0.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-w6mf-f4jp-73hm: FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains an out of array read vulnerability in ASF_F format demuxer that can result in h↗2022-05-14

▶

OSV

CVE-2018-1999015: FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains an out of array read vulnerability in ASF_F format demuxer that can result in h↗2018-07-23

▶

📋Vendor Advisories

Debian

CVE-2018-1999015: ffmpeg - FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains an out of...↗2018

▶