CVE-2024-36615 — Race Condition in Ffmpeg

CWE-362 — Race Condition4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 73.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedNov 29

Description

FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/ffmpeg< ffmpeg 7:4.3.9-0+deb11u2 (bullseye)

▶Debianffmpeg/ffmpeg< 7:4.3.9-0+deb11u2+2

▶NVDffmpeg/ffmpeg7.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-36615: FFmpeg n7↗2024-11-29

▶

GHSA

GHSA-9fr3-g426-jq79: FFmpeg n7↗2024-11-29

▶

📋Vendor Advisories

Debian

CVE-2024-36615: ffmpeg - FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could le...↗2024

▶