CVE-2024-35369 — Integer Overflow or Wraparound in Ffmpeg

CWE-190 — Integer Overflow or Wraparound4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 88.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedNov 29

Description

In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:7.0.1-3 (forky)

▶Debianffmpeg/ffmpeg< 7:7.0.1-3+1

▶NVDffmpeg/ffmpeg6.1.1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-c655-qv2v-73rm: In FFmpeg version n6↗2024-11-29

▶

OSV

CVE-2024-35369: In FFmpeg version n6↗2024-11-29

▶

📋Vendor Advisories

Debian

CVE-2024-35369: ffmpeg - In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a p...↗2024

▶