Webmproject Libvpx vulnerabilities

CVE-2026-2447 [HIGH] CVE-2026-2447: Heap buffer overflow in libvpx Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.

CVE-2025-5283 [MEDIUM] CVE-2025-5283: Use after free in libvpx in Google Chrome prior to 137 Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVE-2024-5197 [MEDIUM] CWE-190 CVE-2024-5197: There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h

CVE-2023-6349 [MEDIUM] CWE-122 CVE-2023-6349: A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than th A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than the originally configured size with VP9 may result in a heap overflow in libvpx. We recommend upgrading to version 1.13.1 or above

CVE-2023-44488 [HIGH] CWE-755 CVE-2023-44488: VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding. VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.

CVE-2023-5217 [HIGH] CWE-787 CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1 Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2020-0034 [HIGH] CVE-2020-0034: In vp8_decode_frame of decodeframe In vp8_decode_frame of decodeframe.c, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure if error correction were turned on, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1Android ID: A-62458770

CVE-2019-9232 [HIGH] CVE-2019-9232: In libvpx, there is a possible out of bounds read due to a missing bounds check In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483

CVE-2019-9325 [MEDIUM] CVE-2019-9325: In libvpx, there is a possible out of bounds read due to a missing bounds check In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112001302

CVE-2019-9433 [MEDIUM] CVE-2019-9433: In libvpx, there is a possible information disclosure due to improper input validation In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354

CVE-2019-9371 [MEDIUM] CVE-2019-9371: In libvpx, there is a possible resource exhaustion due to improper input validation In libvpx, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132783254

CVE-2019-2126 [HIGH] CVE-2019-2126: In ParseContentEncodingEntry of mkvparser In ParseContentEncodingEntry of mkvparser.cc, there is a possible double free due to a missing reset of a freed pointer. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-127702368.

CVE-2017-13194 [HIGH] CVE-2017-13194: A vulnerability in the Android media framework (libvpx) related to odd frame width A vulnerability in the Android media framework (libvpx) related to odd frame width. Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-64710201.

CVE-2017-0393 [MEDIUM] CVE-2017-0393: A denial of service vulnerability in libvpx in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or re A denial of service vulnerability in libvpx in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1. Andr

CVE-2016-6712 [MEDIUM] CVE-2016-6712: A remote denial of service vulnerability in libvpx in Mediaserver in Android 4 A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593752.

CVE-2016-6711 [MEDIUM] CVE-2016-6711: A remote denial of service vulnerability in libvpx in Mediaserver in Android 4 A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.

CVE-2016-3881 [MEDIUM] CVE-2016-3881: The decoder_peek_si_internal function in vp9/vp9_dx_iface The decoder_peek_si_internal function in vp9/vp9_dx_iface.c in libvpx in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 allows remote attackers to cause a denial of service (buffer over-read, and device hang or reboot) via a crafted media file, aka internal bug 30013856.

CVE-2016-2464 [HIGH] CVE-2016-2464: libvpx in libwebm in mediaserver in Android 4 libvpx in libwebm in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-06-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted mkv file, aka internal bug 23167726.

CVE-2016-1621 [CRITICAL] CVE-2016-1621: libvpx in mediaserver in Android 4 libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792.

CVE-2015-4506 [MEDIUM] CVE-2015-4506: Buffer overflow in the vp9_init_context_buffers function in libvpx, as used in Mozilla Firefox before 41 Buffer overflow in the vp9_init_context_buffers function in libvpx, as used in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3, allows remote attackers to execute arbitrary code via a crafted VP9 file.