CVE-2024-22860 — Integer Overflow or Wraparound in Ffmpeg

CWE-190 — Integer Overflow or Wraparound4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

2.8%

top 13.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedJan 27

Description

Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:6.1-1 (forky)

▶Debianffmpeg/ffmpeg< 7:6.1-1+1

▶NVDffmpeg/ffmpeg6.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-jhhh-mxj4-r289: Integer overflow vulnerability in FFmpeg before n6↗2024-01-27

▶

OSV

CVE-2024-22860: Integer overflow vulnerability in FFmpeg before n6↗2024-01-27

▶

📋Vendor Advisories

Debian

CVE-2024-22860: ffmpeg - Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to...↗2024

▶