// For flags

CVE-2025-9951

Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000

Severity Score

7.2
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.

It was discovered that FFmpeg incorrectly handled the return values of functions in its Firequalizer filter and in the HTTP Live Streaming implementation, leading to a NULL pointer dereference. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this issue to make FFmpeg crash, resulting in a denial of service. It was discovered that FFmpeg did not enforce an input format before triggering the HTTP demuxer. A remote attacker could possibly use this issue to perform a Server-Side Request Forgery attack.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
None
None
Integrity
High
High
Availability
High
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2025-09-03 CVE Reserved
  • 2025-09-09 CVE Published
  • 2026-02-26 CVE Updated
  • 2026-05-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-122: Heap-based Buffer Overflow
CAPEC
  • CAPEC-253: Remote Code Inclusion
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
FFmpeg
Search vendor "FFmpeg"
 FFmpeg
Search vendor "FFmpeg" for product "FFmpeg"
 < 8.0
Search vendor "FFmpeg" for product "FFmpeg" and version " < 8.0"
en
Affected