PT-2018-2801 · FFmpeg+2 · Ffmpeg+2
Paul Ch
·
Published
2018-07-21
·
Updated
2026-02-06
·
CVE-2018-1999011
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
FFmpeg versions prior to commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869
Description
The issue is related to a buffer overflow in the dynamic memory, which can be exploited by an attacker to cause a denial of service or execute arbitrary code using a specially crafted file or stream. The vulnerability is specifically located in the asf o format demuxer and can result in a heap-buffer-overflow, potentially leading to remote code execution. This can be achieved by providing a specially crafted ASF file as input to FFmpeg.
Recommendations
For FFmpeg versions prior to commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869, update to a version that includes the fix, specifically commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 or later. As a temporary workaround, consider restricting the use of the asf o format demuxer to minimize the risk of exploitation. Avoid using specially crafted ASF files that could trigger the buffer overflow until the issue is resolved.
Fix
RCE
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Ffmpeg
Suse