CVE-2025-9951 — Heap-based Buffer Overflow in Ffmpeg

CWE-122 — Heap-based Buffer Overflow CWE-209 — Information Exposure via Error Message7 documents6 sources

Severity

7.2HIGHNVD

OSV7.5

EPSS

0.6%

top 31.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ffmpeg Debian Ffmpeg

Timeline

PublishedSep 9

Latest updateFeb 2

Description

A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Affected Packages4 packages

▶CVEListV5ffmpeg/ffmpeg< 8.0

▶debiandebian/ffmpeg< ffmpeg 7:5.1.7-0+deb12u1 (bookworm)

▶Debianffmpeg/ffmpeg< 7:4.3.9-0+deb11u2+3

▶Ubuntuffmpeg/ffmpeg< 7:3.4.11-0ubuntu0.1+esm11+3

🔴Vulnerability Details

OSV

ffmpeg vulnerabilities↗2025-10-21

▶

OSV

CVE-2025-9951: A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of servic↗2025-09-09

▶

CVEList

Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000↗2025-09-09

▶

📋Vendor Advisories

Red Hat

vLLM: vLLM: Remote code execution via invalid image processing in the multimodal endpoint.↗2026-02-02

▶

Ubuntu

FFmpeg vulnerabilities↗2025-10-21

▶

Debian

CVE-2025-9951: ffmpeg - A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attack...↗2025

▶