CVE-2019-1000016 — Improper Validation of Array Index in Ffmpeg

CWE-129 — Improper Validation of Array Index4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 37.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedFeb 4

Latest updateMay 14

Description

FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array Index vulnerability in libavcodec/cbs_av1.c that can result in Denial of service. This attack appears to be exploitable via specially crafted AV1 file has to be provided as input. This vulnerability appears to have been fixed in after commit b97a4b658814b2de8b9f2a3bce491c002d34de31.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:4.1.1-1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:4.1.1-1+3

▶NVDffmpeg/ffmpeg4.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-hc9w-x35j-3w9c: FFMPEG version 4↗2022-05-14

▶

OSV

CVE-2019-1000016: FFMPEG version 4↗2019-02-04

▶

📋Vendor Advisories

Debian

CVE-2019-1000016: ffmpeg - FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array Index vulner...↗2019

▶