CVE-2025-59730Out-of-bounds Write in Ffmpeg

CWE-787Out-of-bounds Write6 documents6 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 95.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FfmpegDebian Ffmpeg
Timeline
PublishedOct 6

Description

When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it. Frames encoded with codec 48 can specify their resolution (width x height). A buffer of appropriate size is allocated depending on the resolution. This codec can encode the frame contents using a run-length encoding algorithm. There are no checks that the decoded frame fits in the allocated buffer, leading to a heap-buffer-overflow. process_frame_obj initializes the buffer

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

Affected Packages2 packages

CVEListV5ffmpeg/ffmpeg829680f96a7a7ff02d1543895ec0fb713309d5c08.0
debiandebian/ffmpeg

🔴Vulnerability Details

3
GHSA
GHSA-3x55-g2vp-hv3w: When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it2025-10-06
OSV
CVE-2025-59730: When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it2025-10-06
CVEList
Heap-buffer-overflow write in FFmpeg SANM decoding due to lack of bounds-checking in old_codec482025-10-06

📋Vendor Advisories

2
Red Hat
FFmpeg: FFmpeg: Heap-buffer-overflow in SANM (ANIM v0 variant) file frame decoding2025-10-06
Debian
CVE-2025-59730: ffmpeg - When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be...2025