CVE-2025-1594 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Ffmpeg

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 69.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedFeb 23

Latest updateSep 4

Description

A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages4 packages

▶debiandebian/ffmpeg< ffmpeg 7:5.1.8-0+deb12u1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:4.3.9-0+deb11u2+3

▶NVDffmpeg/ffmpeg7.1

▶CVEListV5ffmpeg/ffmpeg55 versions+54

🔴Vulnerability Details

CVEList

FFmpeg AAC Encoder aacenc_tns.c ff_aac_search_for_tns stack-based overflow↗2025-02-23

▶

GHSA

GHSA-37pp-xmcw-vg4w: A vulnerability, which was classified as critical, was found in FFmpeg up to 7↗2025-02-23

▶

OSV

CVE-2025-1594: A vulnerability, which was classified as critical, was found in FFmpeg up to 7↗2025-02-23

▶

📋Vendor Advisories

Ubuntu

FFmpeg vulnerability↗2025-09-04

▶

Debian

CVE-2025-1594: ffmpeg - A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1...↗2025

▶