CVE-2025-69693

Name of the Vulnerable Software and Affected Versions FFmpeg versions 8.0 and 8.0.1

Description An out-of-bounds read issue exists in the RV60 video decoder (libavcodec/rv60dec.c) of FFmpeg versions 8.0 and 8.0.1. The issue stems from insufficient validation of the quantization parameter (qp) at line 2267, which only checks the lower bound but lacks upper bound validation. The qp value can reach 65, exceeding the valid index range of the rv60 qp to idx array (0-63). This can lead to out-of-bounds array access at lines 1554 (decode cbp8), 1655 (decode cbp16), and 1419/1421 (get c4x4 set), potentially resulting in memory disclosure or a crash. A prior fix addressed this issue only for intra frames.

Recommendations Update to FFmpeg version 8.1 or later.