Main Vulnerability Database SB2025060802

SB2025060802 - Input validation error in FFmpeg

Published: June 8, 2025

Security Bulletin ID SB2025060802

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2013-0858)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg before 1.0.4 allows remote attackers to have an unspecified impact via ATRAC3 data with the joint stereo coding mode set and fewer than two channels.

Remediation

Install update from vendor's website.

References

http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=13451f5520ce6b0afde861b2285dda659f8d4fb4
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=2502914c5f8eb77659d7c0868396862557a63245
http://www.debian.org/security/2013/dsa-2793
http://www.ffmpeg.org/security.html