CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-40962
https://notcve.org/view.php?id=CVE-2026-40962
16 Apr 2026 — FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. • https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59734 – Heap-buffer-overflow write in FFmpeg SANM process_ftch
https://notcve.org/view.php?id=CVE-2025-59734
06 Oct 2025 — It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion <2. When a STOR chunk is present, a subsequent FOBJ chunk will be saved in ctx->stored_frame. Stored frames can later be referenced by FTCH chunks. For files using subversion < 2, the undecoded frame is stored, and decoded again when the FTCH chunks are parsed. However, in process_frame_obj if the frame has an invalid size, there’s an early return, with a value of 0. • https://b.corp.google.com/issues/440183164 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59733 – Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
https://notcve.org/view.php?id=CVE-2025-59733
06 Oct 2025 — When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that all image channels have the same pixel type (and size), and that if there are four channels, the first four are "B", "G", "R" and "A". The channel parsing code can be found in decode_header. The buffer td->uncompressed_data is allocated in decode_block based on the xsize, ysize and computed current_channel_offset. The function dwa_uncompress then assumes at [5] that if there are 4 channels, these are "B", "... • https://b.corp.google.com/issues/436511754 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59732 – Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
https://notcve.org/view.php?id=CVE-2025-59732
06 Oct 2025 — When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that the height and width are divisible by 8. If the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8. The buffer td->uncompressed_data is allocated in decode_block based on the precise height and width of the image, so the "rounded-up" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at ... • https://b.corp.google.com/issues/436510316 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59731 – Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
https://notcve.org/view.php?id=CVE-2025-59731
06 Oct 2025 — When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data. We read rle_raw_size from the input file at [0], we decompress and decode into the buffer td->rle_raw_data of size rle_raw_size at [1], and then at [2] we will access entries in this buffer up to (td->xsize - 1) * (td->ysize - 1) + rle_raw_size / 2, which may exceed rle_raw_size. We recommend upgrading to version 8.0 or beyond. When ... • https://b.corp.google.com/issues/436510153 • CWE-787: Out-of-bounds Write •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9951 – Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000
https://notcve.org/view.php?id=CVE-2025-9951
09 Sep 2025 — A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000. It was discovered that FFmpeg incorrectly handled the return values of functions in its Firequalizer filter and in the HTTP Live Streaming implementation, leading to a NULL pointer dereference. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this issue to make FFm... • https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg • CWE-122: Heap-based Buffer Overflow •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0518 – Unchecked sscanf return value which leads to memory data leak
https://notcve.org/view.php?id=CVE-2025-0518
16 Jan 2025 — Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman This update for ... • https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a • CWE-125: Out-of-bounds Read CWE-252: Unchecked Return Value •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-22860
https://notcve.org/view.php?id=CVE-2024-22860
27 Jan 2024 — Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder. Vulnerabilidad de desbordamiento de enteros en FFmpeg anterior a n6.1, permite a atacantes remotos ejecutar código arbitrario a través del componente jpegxl_anim_read_packet en el decodificador de animación JPEG XL. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61991 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22861
https://notcve.org/view.php?id=CVE-2024-22861
27 Jan 2024 — Integer overflow vulnerability in FFmpeg before n6.1, allows attackers to cause a denial of service (DoS) via the avcodec/osq module. Vulnerabilidad de desbordamiento de enteros en FFmpeg anterior a n6.1, permite a los atacantes provocar una denegación de servicio (DoS) a través del módulo avcodec/osq. • https://github.com/FFmpeg/FFmpeg/commit/87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce • CWE-190: Integer Overflow or Wraparound •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-22862
https://notcve.org/view.php?id=CVE-2024-22862
27 Jan 2024 — Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the JJPEG XL Parser. Vulnerabilidad de desbordamiento de enteros en FFmpeg anterior a n6.1, permite a atacantes remotos ejecutar código arbitrario a través de JJPEG XL Parser. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62113 • CWE-190: Integer Overflow or Wraparound •