CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Ffmpeg : Security Vulnerabilities (CVSS score between 5 and 5.99)

CVSS Scores Greater Than: 0   1   2   3   4   5   6   7   8   9  
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2009-4632 189 DoS 2010-02-10 2011-10-26
5.8
 None Remote Medium Not required Partial None Partial
oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read.
2 CVE-2011-3973 399 DoS 2011-10-02 2012-08-22
5.0
 None Remote Low Not required None None Partial
cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, related to the decode_residual_block, check_for_slice, and cavs_decode_frame functions, a different vulnerability than CVE-2011-3362.
3 CVE-2011-3974 189 DoS 2011-10-02 2012-08-22
5.0
 None Remote Low Not required None None Partial
Integer signedness error in the decode_residual_inter function in cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, a different vulnerability than CVE-2011-3362.
4 CVE-2012-0854 119 DoS Overflow 2012-08-20 2018-10-30
5.0
 None Remote Low Not required None None Partial
The dpcm_decode_frame function in libavcodec/dpcm.c in FFmpeg before 0.9.1 does not use the proper pointer after an audio API change, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors, which triggers a heap-based buffer overflow.
5 CVE-2012-0855 119 DoS Overflow 2012-08-27 2018-10-30
5.0
 None Remote Low Not required None None Partial
Heap-based buffer overflow in the get_sot function in the J2K decoder (j2k.c) in libavcodec in FFmpeg before 0.9.1 allows remote attackers to cause a denial of service (application crash) via unspecified vectors related to the curtileno variable.
6 CVE-2012-0857 119 DoS Overflow 2012-08-20 2018-10-30
5.0
 None Remote Low Not required None None Partial
Multiple buffer overflows in the get_qcx function in the J2K decoder (j2kdec.c) in libavcode in FFmpeg before 0.9.1 allow remote attackers to cause a denial of service (application crash) via unspecified vectors.
7 CVE-2012-2774 119 DoS Overflow Mem. Corr. 2012-09-10 2018-10-30
5.0
 None Remote Low Not required None None Partial
The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg before 0.11 allows remote attackers to cause a denial of service (memory corruption) via unspecified vectors, related to starting "a frame outside SETUP state."
8 CVE-2012-2805 404 DoS 2017-08-28 2017-08-31
5.0
 None Remote Low Not required None None Partial
Unspecified vulnerability in FFMPEG 0.10 allows remote attackers to cause a denial of service.
9 CVE-2012-6616 119 DoS Overflow 2013-12-24 2013-12-26
5.0
 None Remote Low Not required None None Partial
The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via crafted 3GPP TS 26.245 data.
10 CVE-2013-0861 119 Overflow Mem. Corr. 2013-11-23 2016-12-03
5.0
 None Remote Low Not required None Partial None
The avcodec_decode_audio4 function in libavcodec/utils.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.1 allows remote attackers to trigger memory corruption via vectors related to the channel layout.
11 CVE-2013-4358 DoS 2013-12-24 2013-12-26
5.0
 None Remote Low Not required None None Partial
libavcodec/h264.c in FFmpeg before 0.11.4 allows remote attackers to cause a denial of service (crash) via vectors related to alternating bit depths in H.264 data.
12 CVE-2014-9319 119 DoS Overflow 2014-12-09 2016-12-03
5.0
 None Remote Low Not required None None Partial
The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted .bit file.
13 CVE-2016-6920 119 DoS Overflow 2017-01-23 2018-10-09
5.0
 None Remote Low Not required None None Partial
Heap-based buffer overflow in the decode_block function in libavcodec/exr.c in FFmpeg before 3.1.3 allows remote attackers to cause a denial of service (application crash) via vectors involving tile positions.
14 CVE-2017-9993 200 +Info 2017-06-28 2019-03-26
5.0
 None Remote Low Not required Partial None None
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.
15 CVE-2017-11665 20 DoS 2017-07-27 2018-06-13
5.0
 None Remote Low Not required None None Partial
The ff_amf_get_field_value function in libavformat/rtmppkt.c in FFmpeg 3.3.2 allows remote RTMP servers to cause a denial of service (Segmentation Violation and application crash) via a crafted stream.
16 CVE-2018-13300 125 DoS 2018-07-05 2021-01-04
5.8
 None Remote Medium Not required Partial None Partial
In FFmpeg 3.2 and 4.0.1, an improper argument (AVCodecParameters) passed to the avpriv_request_sample function in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array read while converting a crafted AVI file to MPEG4, leading to a denial of service and possibly an information disclosure.
17 CVE-2018-13305 125 DoS 2018-07-05 2020-01-14
5.8
 None Remote Medium Not required Partial None Partial
In FFmpeg 4.0.1, due to a missing check for negative values of the mquant variable, the vc1_put_blocks_clamped function in libavcodec/vc1_block.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to an information disclosure or a denial of service.
18 CVE-2018-15822 617 2018-08-23 2022-10-07
5.0
 None Remote Low Not required None None Partial
The flv_write_packet function in libavformat/flvenc.c in FFmpeg through 2.8 does not check for an empty audio packet, leading to an assertion failure.
19 CVE-2020-20450 476 DoS 2021-05-25 2021-11-30
5.0
 None Remote Low Not required None None Partial
FFmpeg 4.2 is affected by null pointer dereference passed as argument to libavformat/aviobuf.c, which could cause a Denial of Service.
20 CVE-2020-20451 401 DoS 2021-05-25 2021-11-30
5.0
 None Remote Low Not required None None Partial
Denial of Service issue in FFmpeg 4.2 due to resource management errors via fftools/cmdutils.c.
21 CVE-2020-21041 120 DoS Overflow 2021-05-24 2021-12-10
5.0
 None Remote Low Not required None None Partial
Buffer Overflow vulnerability exists in FFmpeg 4.1 via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service
22 CVE-2020-35965 787 2021-01-04 2021-11-05
5.0
 None Remote Low Not required None None Partial
decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations.
23 CVE-2021-38291 617 2021-08-12 2021-12-02
5.0
 None Remote Low Not required None None Partial
FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c.
Total number of vulnerabilities : 23   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.