CVE-2025-1816Missing Release of Memory after Effective Lifetime in Ffmpeg

CWE-401Missing Release of Memory after Effective LifetimeCWE-404Improper Resource Shutdown or Release6 documents5 sources
Severity
5.3MEDIUMNVD
OSV4.8
EPSS
0.1%
top 74.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FfmpegDebian Ffmpeg
Timeline
PublishedMar 2
Latest updateMay 28

Description

A vulnerability classified as problematic has been found in FFmpeg up to 6e26f57f672b05e7b8b052007a83aef99dc81ccb. This affects the function audio_element_obu of the file libavformat/iamf_parse.c of the component IAMF File Handler. The manipulation of the argument num_parameters leads to memory leak. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 0526535cd58444dd264e810b2f3348b4d96cff3b. It is recommend

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

debiandebian/ffmpeg< ffmpeg 7:7.1.1-1 (forky)
Debianffmpeg/ffmpeg< 7:7.1.1-1+1
Ubuntuffmpeg/ffmpeg< 7:2.8.17-0ubuntu0.1+esm10+4

🔴Vulnerability Details

3
OSV
ffmpeg vulnerabilities2025-05-28
OSV
CVE-2025-1816: A vulnerability classified as problematic has been found in FFmpeg up to 6e26f57f672b05e7b8b052007a83aef99dc81ccb2025-03-02
GHSA
GHSA-77wf-7c6r-cx8j: A vulnerability classified as problematic has been found in FFmpeg up to 6e26f57f672b05e7b8b052007a83aef99dc81ccb2025-03-02

📋Vendor Advisories

2
Ubuntu
FFmpeg vulnerabilities2025-05-28
Debian
CVE-2025-1816: ffmpeg - A vulnerability classified as problematic has been found in FFmpeg up to 6e26f57...2025