CVE-2025-27091

Name of the Vulnerable Software and Affected Versions OpenH264 versions 2.5.0 and earlier

Description OpenH264 contains a heap overflow vulnerability in its decoding functions. This issue is due to a race condition occurring between a Sequence Parameter Set (SPS) memory allocation and a subsequent non-Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker can exploit this by crafting a malicious bitstream and tricking a user into processing a video containing it. Successful exploitation could lead to a crash or potentially allow the attacker to execute arbitrary commands. Both Scalable Video Coding (SVC) and Advanced Video Coding (AVC) modes are affected.

Recommendations Upgrade OpenH264 to version 2.6.0 or later.