PT-2025-40880 · Sanm+1 · Sanm+1
Published
2025-08-21
·
Updated
2025-11-15
·
CVE-2025-59734
CVSS v4.0
8.7
High
| Vector | AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
versions prior to 8.0
Description
A crafted animation can trigger a use-after-free write during SANM decoding. This occurs when a STOR chunk is followed by an FOBJ chunk, and the frame has an invalid size. The code attempts to decode a frame object again, potentially reallocating a buffer while a GetByteContext object still holds a reference to the old buffer. This can lead to a use-after-free read when codecs use the GetByteContext object, and potentially corrupt allocator metadata by writing to freed data. The issue can be triggered by simply probing a file for the SANM format.
Recommendations
Upgrade to version 8.0 or beyond.
Fix
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Sanm