CVE-2024-7272 — Heap-based Buffer Overflow in Ffmpeg

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.3%

top 48.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedAug 12

Description

A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5. This affects the function fill_audiodata of the file /libswresample/swresample.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. This issue was fixed in version 6.0 by 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 but a backport for 5.1 was forgotten. The exploit has been disclosed to the public and may be used. Upgrading to version 5.1.6 and 6.0 9903ba28c28ab18dc…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDffmpeg/ffmpeg< 5.1.6

▶debiandebian/ffmpeg< ffmpeg 7:5.1.6-0+deb12u1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:5.1.6-0+deb12u1+2

▶CVEListV5ffmpeg/ffmpeg6 versions+5

🔴Vulnerability Details

GHSA

GHSA-7q2g-j3r8-hgwh: A vulnerability, which was classified as critical, was found in FFmpeg up to 5↗2024-08-12

▶

OSV

CVE-2024-7272: A vulnerability, which was classified as critical, was found in FFmpeg up to 5↗2024-08-12

▶

📋Vendor Advisories

Debian

CVE-2024-7272: ffmpeg - A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1...↗2024

▶