SB2026062343 - Debian update for ffmpeg
Published: June 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2025-22921)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error within the jpeg2000_decode_packet() function in libavcodec/jpeg2000dec.c. A remote attacker can create a specially crafted input to the application,trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Out-of-bounds write (CVE-ID: CVE-2026-8461)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the MagicYUV decoder in libavcodec/magicyuv.c. A remote attacker can pass specially crafted media content to the library, trigger an out-of-bounds write and execute arbitrary code on the target system.
3) Out-of-bounds read (CVE-ID: CVE-2026-30997)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to a boundary condition within the read_global_param() function in libavcodec/av1dec.c. A remote attacker can create a specially crafted media content to the application, trigger an out-of-bounds read error and perform a denial of service attack.
Remediation
Install update from vendor's website.