CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9951 – Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000
https://notcve.org/view.php?id=CVE-2025-9951
09 Sep 2025 — A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000. It was discovered that FFmpeg incorrectly handled the return values of functions in its Firequalizer filter and in the HTTP Live Streaming implementation, leading to a NULL pointer dereference. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this issue to make FFm... • https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg • CWE-122: Heap-based Buffer Overflow •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2024-22860
https://notcve.org/view.php?id=CVE-2024-22860
27 Jan 2024 — Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder. Vulnerabilidad de desbordamiento de enteros en FFmpeg anterior a n6.1, permite a atacantes remotos ejecutar código arbitrario a través del componente jpegxl_anim_read_packet en el decodificador de animación JPEG XL. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61991 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22861
https://notcve.org/view.php?id=CVE-2024-22861
27 Jan 2024 — Integer overflow vulnerability in FFmpeg before n6.1, allows attackers to cause a denial of service (DoS) via the avcodec/osq module. Vulnerabilidad de desbordamiento de enteros en FFmpeg anterior a n6.1, permite a los atacantes provocar una denegación de servicio (DoS) a través del módulo avcodec/osq. • https://github.com/FFmpeg/FFmpeg/commit/87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce • CWE-190: Integer Overflow or Wraparound •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-22862
https://notcve.org/view.php?id=CVE-2024-22862
27 Jan 2024 — Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the JJPEG XL Parser. Vulnerabilidad de desbordamiento de enteros en FFmpeg anterior a n6.1, permite a atacantes remotos ejecutar código arbitrario a través de JJPEG XL Parser. • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62113 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-47470
https://notcve.org/view.php?id=CVE-2023-47470
16 Nov 2023 — Buffer Overflow vulnerability in Ffmpeg before github commit 4565747056a11356210ed8edcecb920105e40b60 allows a remote attacker to achieve an out-of-array write, execute arbitrary code, and cause a denial of service (DoS) via the ref_pic_list_struct function in libavcodec/evc_ps.c Vulnerabilidad de desbordamiento del búfer en Ffmpeg anterior al commit de github 4565747056a11356210ed8edcecb920105e40b60 permite a un atacante remoto lograr una escritura fuera de matriz, ejecutar código arbitrario y provocar una... • https://github.com/FFmpeg/FFmpeg/commit/4565747056a11356210ed8edcecb920105e40b60 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46407
https://notcve.org/view.php?id=CVE-2023-46407
27 Oct 2023 — FFmpeg prior to commit bf814 was discovered to contain an out of bounds read via the dist->alphabet_size variable in the read_vlc_prefix() function. Se descubrió que FFmpeg antes del commit bf814 contenía una lectura fuera de los límites a través de la variable dist->alphabet_size en la función read_vlc_prefix(). • https://github.com/FFmpeg/FFmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962 • CWE-125: Out-of-bounds Read •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-48434 – Ubuntu Security Notice USN-6449-2
https://notcve.org/view.php?id=CVE-2022-48434
29 Mar 2023 — libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used). It was discovered that FFmpeg incorrectly managed memory resulting in a memory leak. An attacker could possibly use this issue to cause a denial of service via application crash. This issue on... • https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3341 – Ubuntu Security Notice USN-5958-1
https://notcve.org/view.php?id=CVE-2022-3341
12 Jan 2023 — A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash. It was discovered that FFmpeg could be made to dereference a null pointer. An attacker could possibly use this to cause a denial of service via application crash. These issues only affected Ubuntu 16.04 ESM, Ubunt... • https://bugzilla.redhat.com/show_bug.cgi?id=2157054 • CWE-476: NULL Pointer Dereference •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3109 – Ubuntu Security Notice USN-5958-1
https://notcve.org/view.php?id=CVE-2022-3109
16 Dec 2022 — An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability. Se descubrió un problema en el paquete FFmpeg, donde vp3_decode_frame en libavcodec/vp3.c carece de verificación del valor de retorno de av_malloc() y provocará una desreferencia del puntero nulo, lo que afectará la disponibilidad. It was discovered that FFmpeg could be made to dereference a null pointer. A... • https://bugzilla.redhat.com/show_bug.cgi?id=2153551 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 1CVE-2021-38291 – Gentoo Linux Security Advisory 202312-14
https://notcve.org/view.php?id=CVE-2021-38291
12 Aug 2021 — FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c. Una versión de FFmpeg (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) sufre un fallo de aserción en el archivo src/libavutil/mathematics.c It was discovered that FFmpeg would attempt to divide by zero when using Linear Predictive Coding or AAC codecs. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ub... • https://lists.debian.org/debian-lts-announce/2021/11/msg00012.html • CWE-617: Reachable Assertion •