Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-2130
Vulnerability from csaf_certbund - Published: 2025-09-24 22:00 - Updated: 2025-10-27 23:00Summary
ffmpeg: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Das FFmpeg-Projekt besteht aus freien Programmen und Bibliotheken, die es ermöglichen, digitales Video- und Audiomaterial aufzunehmen, zu konvertieren, zu streamen und abzuspielen. Zudem enthält es mit libavcodec eine Audio- und Video-Codec-Sammlung, die verschiedene Codecs zur Verfügung stellt.
Angriff
Ein Angreifer kann mehrere Schwachstellen in ffmpeg ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Das FFmpeg-Projekt besteht aus freien Programmen und Bibliotheken, die es erm\u00f6glichen, digitales Video- und Audiomaterial aufzunehmen, zu konvertieren, zu streamen und abzuspielen. Zudem enth\u00e4lt es mit libavcodec eine Audio- und Video-Codec-Sammlung, die verschiedene Codecs zur Verf\u00fcgung stellt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in ffmpeg ausnutzen, um einen nicht n\u00e4her spezifizierten Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2130 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2130.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2130 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2130"
},
{
"category": "external",
"summary": "FFmpeg Security vom 2025-09-24",
"url": "https://ffmpeg.org/security.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:3715-1 vom 2025-10-22",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JNBDRTFXWJWZJYPLM4OP5ZCYXRVDYORV/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:3810-1 vom 2025-10-27",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DZZITL75K7VGOQPQH64SBQ5ZX3A4KEN6/"
}
],
"source_lang": "en-US",
"title": "ffmpeg: Mehrere Schwachstellen erm\u00f6glichen nicht spezifizierten Angriff",
"tracking": {
"current_release_date": "2025-10-27T23:00:00.000+00:00",
"generator": {
"date": "2025-10-28T09:28:35.518+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2130",
"initial_release_date": "2025-09-24T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-09-24T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-05T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-32518, EUVD-2025-32519, EUVD-2025-32516, EUVD-2025-32517"
},
{
"date": "2025-10-06T22:00:00.000+00:00",
"number": "3",
"summary": "Referenz(en) aufgenommen: EUVD-2025-32514, EUVD-2025-32513, EUVD-2025-32515"
},
{
"date": "2025-10-21T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-10-27T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c8.0",
"product": {
"name": "Open Source ffmpeg \u003c8.0",
"product_id": "T047174"
}
},
{
"category": "product_version",
"name": "8",
"product": {
"name": "Open Source ffmpeg 8.0",
"product_id": "T047174-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ffmpeg:ffmpeg:8.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.1.2",
"product": {
"name": "Open Source ffmpeg \u003c7.1.2",
"product_id": "T047175"
}
},
{
"category": "product_version",
"name": "7.1.2",
"product": {
"name": "Open Source ffmpeg 7.1.2",
"product_id": "T047175-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ffmpeg:ffmpeg:7.1.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.0.3",
"product": {
"name": "Open Source ffmpeg \u003c7.0.3",
"product_id": "T047176"
}
},
{
"category": "product_version",
"name": "7.0.3",
"product": {
"name": "Open Source ffmpeg 7.0.3",
"product_id": "T047176-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ffmpeg:ffmpeg:7.0.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.1.3",
"product": {
"name": "Open Source ffmpeg \u003c6.1.3",
"product_id": "T047177"
}
},
{
"category": "product_version",
"name": "6.1.3",
"product": {
"name": "Open Source ffmpeg 6.1.3",
"product_id": "T047177-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ffmpeg:ffmpeg:6.1.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.1.7",
"product": {
"name": "Open Source ffmpeg \u003c5.1.7",
"product_id": "T047178"
}
},
{
"category": "product_version",
"name": "5.1.7",
"product": {
"name": "Open Source ffmpeg 5.1.7",
"product_id": "T047178-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:ffmpeg:ffmpeg:5.1.7"
}
}
}
],
"category": "product_name",
"name": "ffmpeg"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-59728",
"product_status": {
"known_affected": [
"T002207",
"T047174",
"T047177",
"T047178",
"T047175",
"T047176"
]
},
"release_date": "2025-09-24T22:00:00.000+00:00",
"title": "CVE-2025-59728"
},
{
"cve": "CVE-2025-59729",
"product_status": {
"known_affected": [
"T002207",
"T047174",
"T047177",
"T047178",
"T047175",
"T047176"
]
},
"release_date": "2025-09-24T22:00:00.000+00:00",
"title": "CVE-2025-59729"
},
{
"cve": "CVE-2025-59730",
"product_status": {
"known_affected": [
"T002207",
"T047174",
"T047177",
"T047178",
"T047175",
"T047176"
]
},
"release_date": "2025-09-24T22:00:00.000+00:00",
"title": "CVE-2025-59730"
},
{
"cve": "CVE-2025-59731",
"product_status": {
"known_affected": [
"T002207",
"T047174",
"T047177",
"T047178",
"T047175",
"T047176"
]
},
"release_date": "2025-09-24T22:00:00.000+00:00",
"title": "CVE-2025-59731"
},
{
"cve": "CVE-2025-59732",
"product_status": {
"known_affected": [
"T002207",
"T047174",
"T047177",
"T047178",
"T047175",
"T047176"
]
},
"release_date": "2025-09-24T22:00:00.000+00:00",
"title": "CVE-2025-59732"
},
{
"cve": "CVE-2025-59733",
"product_status": {
"known_affected": [
"T002207",
"T047174",
"T047177",
"T047178",
"T047175",
"T047176"
]
},
"release_date": "2025-09-24T22:00:00.000+00:00",
"title": "CVE-2025-59733"
},
{
"cve": "CVE-2025-59734",
"product_status": {
"known_affected": [
"T002207",
"T047174",
"T047177",
"T047178",
"T047175",
"T047176"
]
},
"release_date": "2025-09-24T22:00:00.000+00:00",
"title": "CVE-2025-59734"
}
]
}
CVE-2025-59732 (GCVE-0-2025-59732)
Vulnerability from cvelistv5 – Published: 2025-10-06 08:09 – Updated: 2025-10-19 14:52
VLAI?
EPSS
Title
Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
Summary
When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that the height and width are divisible by 8.
If the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8.
The buffer td->uncompressed_data is allocated in decode_block based on the precise height and width of the image, so the "rounded-up" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory.
We recommend upgrading to version 8.0 or beyond.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Credits
Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T03:55:12.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
"defaultStatus": "unaffected",
"packageName": "EXR",
"product": "FFmpeg",
"repo": "https://git.ffmpeg.org/ffmpeg.git",
"vendor": "FFmpeg",
"versions": [
{
"lessThan": "8.0",
"status": "affected",
"version": "9a32b863074ed4140141e0d3613905c6f1fe61c5",
"versionType": "custom"
},
{
"lessThan": "8.0",
"status": "affected",
"version": "7.1.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-08-04T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eWhen decoding an OpenEXR file that uses DWAA or DWAB compression, there\u0027s an implicit assumption that the height and width are divisible by 8.\u003c/p\u003e\u003cp\u003eIf the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8.\u003c/p\u003e\u003cp\u003eThe buffer \u003ccode\u003etd-\u0026gt;uncompressed_data\u003c/code\u003e\u0026nbsp;is allocated in \u003ccode\u003edecode_block\u003c/code\u003e\u0026nbsp;based on the precise height and width of the image, so the \"rounded-up\" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory.\u003c/p\u003e\u003cp\u003e\u003c/p\u003eWe recommend upgrading to version 8.0 or beyond.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "When decoding an OpenEXR file that uses DWAA or DWAB compression, there\u0027s an implicit assumption that the height and width are divisible by 8.\n\nIf the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8.\n\nThe buffer td-\u003euncompressed_data\u00a0is allocated in decode_block\u00a0based on the precise height and width of the image, so the \"rounded-up\" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at [2] can corrupt following heap memory.\n\n\n\nWe recommend upgrading to version 8.0 or beyond."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-19T14:52:36.920Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issuetracker.google.com/436510316"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-59732",
"datePublished": "2025-10-06T08:09:31.276Z",
"dateReserved": "2025-09-19T08:11:37.550Z",
"dateUpdated": "2025-10-19T14:52:36.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59731 (GCVE-0-2025-59731)
Vulnerability from cvelistv5 – Published: 2025-10-06 08:09 – Updated: 2025-10-19 14:53
VLAI?
EPSS
Title
Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
Summary
When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data.
We read rle_raw_size from the input file at [0], we decompress and decode into the buffer td->rle_raw_data of size rle_raw_size at [1], and then at [2] we will access entries in this buffer up to (td->xsize - 1) * (td->ysize - 1) + rle_raw_size / 2, which may exceed rle_raw_size.
We recommend upgrading to version 8.0 or beyond.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Credits
Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T03:55:11.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
"defaultStatus": "unaffected",
"packageName": "EXR",
"product": "FFmpeg",
"repo": "https://git.ffmpeg.org/ffmpeg.git",
"vendor": "FFmpeg",
"versions": [
{
"lessThan": "8.0",
"status": "affected",
"version": "9a32b863074ed4140141e0d3613905c6f1fe61c5",
"versionType": "custom"
},
{
"lessThan": "8.0",
"status": "affected",
"version": "7.1.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-08-04T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eWhen decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data.\u003c/p\u003e\u003cp\u003eWe read \u003ccode\u003erle_raw_size\u003c/code\u003e\u0026nbsp;from the input file at [0], we decompress and decode into the buffer \u003ccode\u003etd-\u0026gt;rle_raw_data\u003c/code\u003e\u0026nbsp;of size \u003ccode\u003erle_raw_size\u003c/code\u003e\u0026nbsp;at [1], and then at [2] we will access entries in this buffer up to \u003ccode\u003e(td-\u0026gt;xsize - 1) * (td-\u0026gt;ysize - 1) + rle_raw_size / 2\u003c/code\u003e, which may exceed \u003ccode\u003erle_raw_size\u003c/code\u003e.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003eWe recommend upgrading to version 8.0 or beyond.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data.\n\nWe read rle_raw_size\u00a0from the input file at [0], we decompress and decode into the buffer td-\u003erle_raw_data\u00a0of size rle_raw_size\u00a0at [1], and then at [2] we will access entries in this buffer up to (td-\u003exsize - 1) * (td-\u003eysize - 1) + rle_raw_size / 2, which may exceed rle_raw_size.\n\n\n\n\nWe recommend upgrading to version 8.0 or beyond."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-19T14:53:00.719Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issuetracker.google.com/436510153"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-59731",
"datePublished": "2025-10-06T08:09:23.410Z",
"dateReserved": "2025-09-19T08:11:37.550Z",
"dateUpdated": "2025-10-19T14:53:00.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59734 (GCVE-0-2025-59734)
Vulnerability from cvelistv5 – Published: 2025-10-06 08:09 – Updated: 2025-10-19 14:51
VLAI?
EPSS
Title
Heap-buffer-overflow write in FFmpeg SANM process_ftch
Summary
It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion <2.
When a STOR chunk is present, a subsequent FOBJ chunk will be saved in ctx->stored_frame. Stored frames can later be referenced by FTCH chunks. For files using subversion < 2, the undecoded frame is stored, and decoded again when the FTCH chunks are parsed. However, in process_frame_obj if the frame has an invalid size, there’s an early return, with a value of 0.
This causes the code in decode_frame to still store the raw frame buffer into ctx->stored_frame. Leaving ctx->has_dimensions set to false.
A subsequent chunk with type FTCH would call process_ftch and decode that frame obj again, adding to the top/left values and calling process_frame_obj again.
Given that we never set ctx->have_dimensions before, this time we set the dimensions, calling init_buffers, which can reallocate the buffer in ctx->stored_frame, freeing the previous one. However, the GetByteContext object gb still holds a reference to the old buffer.
Finally, when the code tries to decode the frame, codecs that accept a GetByteContext as a parameter will trigger a use-after-free read when using gb.
GetByteContext is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the free and when the object is accessed. However, upon returning to process_ftch, the code restores the original values for top/left in stored_frame, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocator’s metadata.
This issue can be triggered just by probing whether a file has the sanm format.
We recommend upgrading to version 8.0 or beyond.
Severity ?
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
Credits
Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T03:55:14.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
"defaultStatus": "unaffected",
"packageName": "SANM",
"product": "FFmpeg",
"repo": "https://git.ffmpeg.org/ffmpeg.git",
"vendor": "FFmpeg",
"versions": [
{
"lessThan": "8.0",
"status": "affected",
"version": "4d7c609be37dc57d31527c8c9e5945dc9491a7cd",
"versionType": "custom"
},
{
"lessThan": "8.0",
"status": "affected",
"version": "7.1.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-08-20T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eIt is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion \u0026lt;2.\u003c/p\u003e\u003cp\u003eWhen a \u003ccode\u003eSTOR\u003c/code\u003e\u0026nbsp;chunk is present, a subsequent \u003ccode\u003eFOBJ\u003c/code\u003e\u0026nbsp;chunk will be saved in \u003ccode\u003ectx-\u0026gt;stored_frame\u003c/code\u003e. Stored frames can later be referenced by \u003ccode\u003eFTCH\u003c/code\u003e\u0026nbsp;chunks. For files using subversion \u0026lt; 2, the undecoded frame is stored, and decoded again when the \u003ccode\u003eFTCH\u003c/code\u003e\u0026nbsp;chunks are parsed.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHowever, in \u003c/span\u003e\u003ccode\u003eprocess_frame_obj\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;if the frame has an invalid size, there\u2019s an early return, with a value of 0.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis causes the code in \u003ccode\u003edecode_frame\u003c/code\u003e\u0026nbsp;to still store the raw frame buffer into \u003ccode\u003ectx-\u0026gt;stored_frame\u003c/code\u003e. Leaving \u003ccode\u003ectx-\u0026gt;has_dimensions\u003c/code\u003e\u0026nbsp;set to \u003ccode\u003efalse\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eA subsequent chunk with type \u003ccode\u003eFTCH\u003c/code\u003e\u0026nbsp;would call \u003ccode\u003eprocess_ftch\u003c/code\u003e\u0026nbsp;and decode that frame obj again, adding to the top/left values and calling \u003ccode\u003eprocess_frame_obj\u003c/code\u003e\u0026nbsp;again.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eGiven that we never set \u003c/span\u003e\u003ccode\u003ectx-\u0026gt;have_dimensions\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;before, this time we set the dimensions, calling \u003c/span\u003e\u003ccode\u003einit_buffers\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, which can reallocate the buffer in \u003c/span\u003e\u003ccode\u003ectx-\u0026gt;stored_frame\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, freeing the previous one. However, the \u003c/span\u003e\u003ccode\u003eGetByteContext\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;object \u003c/span\u003e\u003ccode\u003egb\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;still holds a reference to the old buffer.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eFinally, when the code tries to decode the frame, codecs that accept a \u003ccode\u003eGetByteContext\u003c/code\u003e\u0026nbsp;as a parameter will trigger a use-after-free read when using \u003ccode\u003egb\u003c/code\u003e.\u003c/p\u003e\u003cp\u003e\u003ccode\u003eGetByteContext\u003c/code\u003e\u0026nbsp;is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the \u003ccode\u003efree\u003c/code\u003e\u0026nbsp;and when the object is accessed. However, upon returning to \u003ccode\u003eprocess_ftch\u003c/code\u003e, the code \u003cem\u003erestores\u003c/em\u003e\u0026nbsp;the original values for top/left in \u003ccode\u003estored_frame\u003c/code\u003e, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocator\u2019s metadata.\u003c/p\u003e\u003cp\u003eThis issue can be triggered just by probing whether a file has the sanm format.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003eWe recommend upgrading to version 8.0 or beyond.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion \u003c2.\n\nWhen a STOR\u00a0chunk is present, a subsequent FOBJ\u00a0chunk will be saved in ctx-\u003estored_frame. Stored frames can later be referenced by FTCH\u00a0chunks. For files using subversion \u003c 2, the undecoded frame is stored, and decoded again when the FTCH\u00a0chunks are parsed.\u00a0However, in process_frame_obj\u00a0if the frame has an invalid size, there\u2019s an early return, with a value of 0.\u00a0\n\nThis causes the code in decode_frame\u00a0to still store the raw frame buffer into ctx-\u003estored_frame. Leaving ctx-\u003ehas_dimensions\u00a0set to false.\n\nA subsequent chunk with type FTCH\u00a0would call process_ftch\u00a0and decode that frame obj again, adding to the top/left values and calling process_frame_obj\u00a0again.\nGiven that we never set ctx-\u003ehave_dimensions\u00a0before, this time we set the dimensions, calling init_buffers, which can reallocate the buffer in ctx-\u003estored_frame, freeing the previous one. However, the GetByteContext\u00a0object gb\u00a0still holds a reference to the old buffer.\n\n\n\n\nFinally, when the code tries to decode the frame, codecs that accept a GetByteContext\u00a0as a parameter will trigger a use-after-free read when using gb.\n\nGetByteContext\u00a0is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the free\u00a0and when the object is accessed. However, upon returning to process_ftch, the code restores\u00a0the original values for top/left in stored_frame, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocator\u2019s metadata.\n\nThis issue can be triggered just by probing whether a file has the sanm format.\n\n\n\n\n\n\n\nWe recommend upgrading to version 8.0 or beyond."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-19T14:51:43.143Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issuetracker.google.com/440183164"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-buffer-overflow write in FFmpeg SANM process_ftch",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-59734",
"datePublished": "2025-10-06T08:09:44.280Z",
"dateReserved": "2025-09-19T08:11:37.550Z",
"dateUpdated": "2025-10-19T14:51:43.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59733 (GCVE-0-2025-59733)
Vulnerability from cvelistv5 – Published: 2025-10-06 08:09 – Updated: 2025-10-19 14:52
VLAI?
EPSS
Title
Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
Summary
When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that all image channels have the same pixel type (and size), and that if there are four channels, the first four are "B", "G", "R" and "A". The channel parsing code can be found in decode_header. The buffer td->uncompressed_data is allocated in decode_block based on the xsize, ysize and computed current_channel_offset.
The function dwa_uncompress then assumes at [5] that if there are 4 channels, these are "B", "G", "R" and "A", and in the calculations at [6] and [7] that all channels are of the same type, which matches the type of the main color channels.
If we set the main color channels to a 4-byte type and add duplicate or unknown channels of the 2-byte EXR_HALF type, then the addition at [7] will increment the pointer by 4-bytes * xsize * nb_channels, which will exceed the allocated buffer.
We recommend upgrading to version 8.0 or beyond.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Credits
Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T03:55:13.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
"defaultStatus": "unaffected",
"packageName": "EXR",
"product": "FFmpeg",
"repo": "https://git.ffmpeg.org/ffmpeg.git",
"vendor": "FFmpeg",
"versions": [
{
"lessThan": "8.0",
"status": "affected",
"version": "9a32b863074ed4140141e0d3613905c6f1fe61c5",
"versionType": "custom"
},
{
"lessThan": "8.0",
"status": "affected",
"version": "7.1.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-08-04T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen decoding an OpenEXR file that uses DWAA or DWAB compression, there\u0027s an implicit assumption that all image channels have the same pixel type (and size), and that if there are four channels, the first four are \u003c/span\u003e\u003ccode\u003e\"B\"\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003ccode\u003e\"G\"\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003ccode\u003e\"R\"\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003ccode\u003e\"A\"\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. The channel parsing code can be found in \u003c/span\u003e\u003ccode\u003edecode_header.\u0026nbsp;\u003cp\u003eThe buffer \u003ccode\u003etd-\u0026gt;uncompressed_data\u003c/code\u003e\u0026nbsp;is allocated in \u003ccode\u003edecode_block\u003c/code\u003e\u0026nbsp;based on the \u003ccode\u003exsize\u003c/code\u003e, \u003ccode\u003eysize\u003c/code\u003e\u0026nbsp;and computed \u003ccode\u003ecurrent_channel_offset\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThe function \u003ccode\u003edwa_uncompress\u003c/code\u003e\u0026nbsp;then assumes at [5] that if there are 4 channels, these are \u003ccode\u003e\"B\"\u003c/code\u003e, \u003ccode\u003e\"G\"\u003c/code\u003e, \u003ccode\u003e\"R\"\u003c/code\u003e\u0026nbsp;and \u003ccode\u003e\"A\"\u003c/code\u003e, and in the calculations at [6] and [7] that all channels are of the same type, which matches the type of the main color channels.\u003c/p\u003e\u003cp\u003eIf we set the main color channels to a 4-byte type and add duplicate or unknown channels of the 2-byte \u003ccode\u003eEXR_HALF\u003c/code\u003e\u0026nbsp;type, then the addition at [7] will increment the pointer by \u003ccode\u003e4-bytes * xsize * nb_channels\u003c/code\u003e, which will exceed the allocated buffer.\u003c/p\u003e\u003c/code\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003eWe recommend upgrading to version 8.0 or beyond.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "When decoding an OpenEXR file that uses DWAA or DWAB compression, there\u0027s an implicit assumption that all image channels have the same pixel type (and size), and that if there are four channels, the first four are \"B\", \"G\", \"R\"\u00a0and \"A\". The channel parsing code can be found in decode_header.\u00a0The buffer td-\u003euncompressed_data\u00a0is allocated in decode_block\u00a0based on the xsize, ysize\u00a0and computed current_channel_offset.\n\nThe function dwa_uncompress\u00a0then assumes at [5] that if there are 4 channels, these are \"B\", \"G\", \"R\"\u00a0and \"A\", and in the calculations at [6] and [7] that all channels are of the same type, which matches the type of the main color channels.\n\nIf we set the main color channels to a 4-byte type and add duplicate or unknown channels of the 2-byte EXR_HALF\u00a0type, then the addition at [7] will increment the pointer by 4-bytes * xsize * nb_channels, which will exceed the allocated buffer.\n\n\n\n\n\nWe recommend upgrading to version 8.0 or beyond."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-19T14:52:14.577Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issuetracker.google.com/436511754"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-59733",
"datePublished": "2025-10-06T08:09:37.290Z",
"dateReserved": "2025-09-19T08:11:37.550Z",
"dateUpdated": "2025-10-19T14:52:14.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59728 (GCVE-0-2025-59728)
Vulnerability from cvelistv5 – Published: 2025-10-06 08:08 – Updated: 2025-10-08 03:55
VLAI?
EPSS
Title
Heap-buffer-overflow write in FFmpeg MDASH resolve_content_path
Summary
When calculating the content path in handling of MPEG-DASH manifests, there's an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call xmlNodeGetContent below [0], it returns a buffer precisely allocated to match the string length, using strdup internally. If this buffer is not an empty string, it is assigned to root_url at [1].If the last (non-NUL) byte in this buffer is not '/' then we append '/' in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer.
We recommend upgrading to version 8.0 or beyond.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Credits
Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T03:55:08.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
"defaultStatus": "unaffected",
"product": "MPEG-DASH",
"repo": "https://git.ffmpeg.org/ffmpeg.git",
"vendor": "FFmpeg",
"versions": [
{
"lessThan": "8.0",
"status": "affected",
"version": "7.1.1",
"versionType": "semver"
},
{
"lessThan": "8.0",
"status": "affected",
"version": "a218cafe4d3be005ab0c61130f90db4d21afb5db",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-21T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWhen calculating the content path in handling of MPEG-DASH manifests, there\u0027s an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call \u003ccode\u003exmlNodeGetContent\u003c/code\u003e\u0026nbsp;below [0], it returns a buffer precisely allocated to match the string length, using \u003ccode\u003estrdup\u003c/code\u003e\u0026nbsp;internally. If this buffer is not an empty string, it is assigned to \u003ccode\u003eroot_url\u003c/code\u003e\u0026nbsp;at [1].If the last (non-NUL) byte in this buffer is not \u003ccode\u003e\u0027/\u0027\u003c/code\u003e\u0026nbsp;then we append \u003ccode\u003e\u0027/\u0027\u003c/code\u003e\u0026nbsp;in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer.\u003cbr\u003eWe recommend upgrading to version 8.0 or beyond.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "When calculating the content path in handling of MPEG-DASH manifests, there\u0027s an out-of-bounds NUL-byte write one byte past the end of the buffer.When we call xmlNodeGetContent\u00a0below [0], it returns a buffer precisely allocated to match the string length, using strdup\u00a0internally. If this buffer is not an empty string, it is assigned to root_url\u00a0at [1].If the last (non-NUL) byte in this buffer is not \u0027/\u0027\u00a0then we append \u0027/\u0027\u00a0in-place at [2]. This will write two bytes into the buffer, starting at the last valid byte in the buffer, writing the NUL byte beyond the end of the allocated buffer.\nWe recommend upgrading to version 8.0 or beyond."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T08:08:27.410Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issuetracker.google.com/433502298"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-buffer-overflow write in FFmpeg MDASH resolve_content_path",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-59728",
"datePublished": "2025-10-06T08:08:27.410Z",
"dateReserved": "2025-09-19T08:11:37.549Z",
"dateUpdated": "2025-10-08T03:55:08.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59729 (GCVE-0-2025-59729)
Vulnerability from cvelistv5 – Published: 2025-10-06 08:08 – Updated: 2025-10-06 16:28
VLAI?
EPSS
Title
Heap-buffer-overflow read in FFmpeg DHAV get_duration
Summary
When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.
If we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.
The loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate end_pos based on a 32-bit offset read from the buffer.
There is subsequently a check [3] that end_pos is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos is before the start of the file or after the section copied into end_buffer, and not the case where end_pos is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.
We recommend upgrading to version 8.0 or beyond.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Credits
Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T16:25:07.013593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T16:28:37.534Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
"defaultStatus": "unaffected",
"modules": [
"get_duration"
],
"packageName": "DHAV",
"product": "FFmpeg",
"repo": "https://git.ffmpeg.org/ffmpeg.git",
"vendor": "FFmpeg",
"versions": [
{
"lessThan": "8.0",
"status": "affected",
"version": "a218cafe4d3be005ab0c61130f90db4d21afb5db",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-21T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eWhen parsing the header for a DHAV file, there\u0027s an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.\u003c/p\u003e\u003cp\u003eIf we load a DHAV file that is larger than \u003ccode\u003eMAX_DURATION_BUFFER_SIZE\u003c/code\u003e\u0026nbsp;bytes (\u003ccode\u003e0x100000\u003c/code\u003e) for example 0x101000 bytes, then at [0] we have \u003ccode\u003esize = 0x101000\u003c/code\u003e. At [1] we have \u003ccode\u003eend_buffer_size = 0x100000\u003c/code\u003e, and at [2] we have \u003ccode\u003eend_buffer_pos = 0x1000\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThe loop then scans backwards through the buffer looking for the \u003ccode\u003edhav\u003c/code\u003e\u0026nbsp;tag; when it is found, we\u0027ll calculate \u003ccode\u003eend_pos\u003c/code\u003e\u0026nbsp;based on a 32-bit offset read from the buffer.\u003c/p\u003e\u003cp\u003eThere is subsequently a check [3] that \u003ccode\u003eend_pos\u003c/code\u003e\u0026nbsp;is within the section of the file that has been copied into \u003ccode\u003eend_buffer\u003c/code\u003e, but it only correctly handles the cases where \u003ccode\u003eend_pos\u003c/code\u003e\u0026nbsp;is \u003cem\u003ebefore the start of the file\u003c/em\u003e\u0026nbsp;or \u003cem\u003eafter the section copied into \u003ccode\u003eend_buffer\u003c/code\u003e\u003c/em\u003e, and not the case where \u003ccode\u003eend_pos\u003c/code\u003e\u0026nbsp;is within the the file, but before the section copied into \u003ccode\u003eend_buffer\u003c/code\u003e. If we provide such an offset, \u003ccode\u003e(end_pos - end_buffer_pos)\u003c/code\u003e\u0026nbsp;can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.\u003c/p\u003eWe recommend upgrading to version 8.0 or beyond.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "When parsing the header for a DHAV file, there\u0027s an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.\n\nIf we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE\u00a0bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.\n\nThe loop then scans backwards through the buffer looking for the dhav\u00a0tag; when it is found, we\u0027ll calculate end_pos\u00a0based on a 32-bit offset read from the buffer.\n\nThere is subsequently a check [3] that end_pos\u00a0is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos\u00a0is before the start of the file\u00a0or after the section copied into end_buffer, and not the case where end_pos\u00a0is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos)\u00a0can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.\n\nWe recommend upgrading to version 8.0 or beyond."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T08:08:46.060Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issuetracker.google.com/433513232"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-buffer-overflow read in FFmpeg DHAV get_duration",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-59729",
"datePublished": "2025-10-06T08:08:46.060Z",
"dateReserved": "2025-09-19T08:11:37.549Z",
"dateUpdated": "2025-10-06T16:28:37.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59730 (GCVE-0-2025-59730)
Vulnerability from cvelistv5 – Published: 2025-10-06 08:09 – Updated: 2025-10-06 16:23
VLAI?
EPSS
Title
Heap-buffer-overflow write in FFmpeg SANM decoding due to lack of bounds-checking in old_codec48
Summary
When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it.
Frames encoded with codec 48 can specify their resolution (width x height). A buffer of appropriate size is allocated depending on the resolution.
This codec can encode the frame contents using a run-length encoding algorithm. There are no checks that the decoded frame fits in the allocated buffer, leading to a heap-buffer-overflow.
process_frame_obj initializes the buffers based on the frame resolution:
We recommend upgrading to version 8.0 or beyond.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Credits
Google Big Sleep
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T16:22:19.576410Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T16:23:59.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://git.ffmpeg.org/ffmpeg.git",
"defaultStatus": "unaffected",
"packageName": "SANM",
"product": "FFmpeg",
"repo": "https://git.ffmpeg.org/ffmpeg.git",
"vendor": "FFmpeg",
"versions": [
{
"lessThan": "8.0",
"status": "affected",
"version": "829680f96a7a7ff02d1543895ec0fb713309d5c0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Google Big Sleep"
}
],
"datePublic": "2025-07-27T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eWhen decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it.\u003c/p\u003e\u003cp\u003eFrames encoded with codec 48 can specify their resolution (width x height). A buffer of appropriate size is allocated depending on the resolution.\u003c/p\u003e\u003cp\u003eThis codec can encode the frame contents using a run-length encoding algorithm. There are no checks that the decoded frame fits in the allocated buffer, leading to a heap-buffer-overflow.\u003c/p\u003e\u003cp\u003e\u003ccode\u003eprocess_frame_obj\u003c/code\u003e\u0026nbsp;initializes the buffers based on the frame resolution:\u003c/p\u003e\u003cp\u003e\u003c/p\u003eWe recommend upgrading to version 8.0 or beyond.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it.\n\nFrames encoded with codec 48 can specify their resolution (width x height). A buffer of appropriate size is allocated depending on the resolution.\n\nThis codec can encode the frame contents using a run-length encoding algorithm. There are no checks that the decoded frame fits in the allocated buffer, leading to a heap-buffer-overflow.\n\nprocess_frame_obj\u00a0initializes the buffers based on the frame resolution:\n\n\n\nWe recommend upgrading to version 8.0 or beyond."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T08:09:11.029Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issuetracker.google.com/434637586"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Heap-buffer-overflow write in FFmpeg SANM decoding due to lack of bounds-checking in old_codec48",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2025-59730",
"datePublished": "2025-10-06T08:09:11.029Z",
"dateReserved": "2025-09-19T08:11:37.550Z",
"dateUpdated": "2025-10-06T16:23:59.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…