CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-40962
https://notcve.org/view.php?id=CVE-2026-40962
16 Apr 2026 — FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. • https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59734 – Heap-buffer-overflow write in FFmpeg SANM process_ftch
https://notcve.org/view.php?id=CVE-2025-59734
06 Oct 2025 — It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion <2. When a STOR chunk is present, a subsequent FOBJ chunk will be saved in ctx->stored_frame. Stored frames can later be referenced by FTCH chunks. For files using subversion < 2, the undecoded frame is stored, and decoded again when the FTCH chunks are parsed. However, in process_frame_obj if the frame has an invalid size, there’s an early return, with a value of 0. • https://b.corp.google.com/issues/440183164 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59733 – Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
https://notcve.org/view.php?id=CVE-2025-59733
06 Oct 2025 — When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that all image channels have the same pixel type (and size), and that if there are four channels, the first four are "B", "G", "R" and "A". The channel parsing code can be found in decode_header. The buffer td->uncompressed_data is allocated in decode_block based on the xsize, ysize and computed current_channel_offset. The function dwa_uncompress then assumes at [5] that if there are 4 channels, these are "B", "... • https://b.corp.google.com/issues/436511754 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59732 – Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
https://notcve.org/view.php?id=CVE-2025-59732
06 Oct 2025 — When decoding an OpenEXR file that uses DWAA or DWAB compression, there's an implicit assumption that the height and width are divisible by 8. If the height or width of the image is not divisible by 8, the copy loops at [0] and [1] will continue to write until the next multiple of 8. The buffer td->uncompressed_data is allocated in decode_block based on the precise height and width of the image, so the "rounded-up" multiple of 8 in the copy loop can exceed the buffer bounds, and the write block starting at ... • https://b.corp.google.com/issues/436510316 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59731 – Heap-buffer-overflow write in FFmpeg EXR dwa_uncompress
https://notcve.org/view.php?id=CVE-2025-59731
06 Oct 2025 — When decoding an OpenEXR file that uses DWAA or DWAB compression, the specified raw length of run-length-encoded data is not checked when using it to calculate the output data. We read rle_raw_size from the input file at [0], we decompress and decode into the buffer td->rle_raw_data of size rle_raw_size at [1], and then at [2] we will access entries in this buffer up to (td->xsize - 1) * (td->ysize - 1) + rle_raw_size / 2, which may exceed rle_raw_size. We recommend upgrading to version 8.0 or beyond. When ... • https://b.corp.google.com/issues/436510153 • CWE-787: Out-of-bounds Write •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9951 – Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000
https://notcve.org/view.php?id=CVE-2025-9951
09 Sep 2025 — A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000. It was discovered that FFmpeg incorrectly handled the return values of functions in its Firequalizer filter and in the HTTP Live Streaming implementation, leading to a NULL pointer dereference. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this issue to make FFm... • https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg • CWE-122: Heap-based Buffer Overflow •
CVSS: 9.8EPSS: 5%CPEs: 5EXPL: 0CVE-2005-4048 – Ubuntu Security Notice 230-1
https://notcve.org/view.php?id=CVE-2005-4048
07 Dec 2005 — Heap-based buffer overflow in the avcodec_default_get_buffer function (utils.c) in FFmpeg libavcodec 0.4.9-pre1 and earlier, as used in products such as (1) mplayer, (2) xine-lib, (3) Xmovie, and (4) GStreamer, allows remote attackers to execute arbitrary commands via small PNG images with palettes. Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, t... • http://article.gmane.org/gmane.comp.video.ffmpeg.devel/26558 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •