CVE-2024-5197

CVSS v3.1

9.1

Critical

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions libvpx versions prior to 1.14.1

Description The issue is related to integer overflows in the libvpx library, which can occur when calling vpx img alloc() or vpx img wrap() with large values of the d w, d h, or align parameters, or the stride align parameter, respectively. This may result in integer overflows in the calculations of buffer sizes and offsets, and some fields of the returned vpx image t struct may be invalid.

Recommendations For libvpx versions prior to 1.14.1, upgrade to version 1.14.1 or beyond to resolve the issue. As a temporary workaround, consider restricting the use of the vpx img alloc() and vpx img wrap() functions with large parameter values until a patch is available. Avoid using large values for the d w, d h, align, and stride align parameters in the affected API endpoints until the issue is resolved.

Exploit

Fix

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

ALSA-2024:5941

ALSA-2024:9827

ALT-PU-2025-1090

BDU:2024-04531

CESA-2024_5941

CVE-2024-5197

DLA-3830-1

DSA-5722-1

INFSA-2024_5941

INFSA-2024_9827

MGASA-2024-0221

OESA-2024-1716

OPENSUSE-SU-2024:14100-1

OPENSUSE-SU-2024_2409-1

RHSA-2024:5941

RHSA-2024:9827

RHSA-2024_5941

RHSA-2024_9827

RHSA-2025:14138

RHSA-2025:14139

RHSA-2025:14140

RLSA-2024:5941

RLSA-2024:9827

SUSE-SU-2024:2408-1

SUSE-SU-2024:2409-1

USN-6814-1

USN-7249-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Libvpx

CVE-2024-5197

Weakness Enumeration

Related Identifiers

Affected Products

References · 71