Openh264 · Openh264 · CVE-2025-27091
**Name of the Vulnerable Software and Affected Versions**
OpenH264 versions 2.5.0 and earlier
**Description**
OpenH264 contains a heap overflow vulnerability in its decoding functions. This issue is due to a race condition occurring between a Sequence Parameter Set (SPS) memory allocation and a subsequent non-Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker can exploit this by crafting a malicious bitstream and tricking a user into processing a video containing it. Successful exploitation could lead to a crash or potentially allow the attacker to execute arbitrary commands. Both Scalable Video Coding (SVC) and Advanced Video Coding (AVC) modes are affected.
**Recommendations**
Upgrade OpenH264 to version 2.6.0 or later.