CVE-2025-59729Out-of-bounds Write in Ffmpeg

CWE-787Out-of-bounds Write6 documents6 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 94.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FfmpegDebian Ffmpeg
Timeline
PublishedOct 6

Description

When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer. If we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000. The loop then scans backwards through the buffer looking for the dhav tag; when it is f

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Affected Packages2 packages

CVEListV5ffmpeg/ffmpega218cafe4d3be005ab0c61130f90db4d21afb5db8.0
debiandebian/ffmpeg

🔴Vulnerability Details

3
OSV
CVE-2025-59729: When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start o2025-10-06
CVEList
Heap-buffer-overflow read in FFmpeg DHAV get_duration2025-10-06
GHSA
GHSA-j8h4-v947-5h7q: When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start o2025-10-06

📋Vendor Advisories

2
Red Hat
FFmpeg: FFmpeg: Integer underflow in DHAV file header parsing leads to out-of-bounds read2025-10-06
Debian
CVE-2025-59729: ffmpeg - When parsing the header for a DHAV file, there's an integer underflow in offset ...2025