Input validation error in FFmpeg

#VU18321 Input validation error in FFmpeg

Published: 2019-04-19

Vulnerability identifier: #VU18321

Vulnerability risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9721

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FFmpeg
Universal components / Libraries / Libraries used by multiple products

Vendor: ffmpeg.sourceforge.net

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the subtitle decoder in handle_open_brace() function in libavcodec/htmlsubtitles.c when processing video files in Matroska format. A remote attacker can create a specially crafted video file, pass it to the affected application and consume all available CPU resources.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FFmpeg: 4.1

External links
http://www.securityfocus.com/bid/107384
http://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in ffmpeg (Alpine package)

Ubuntu update for FFmpeg

Multiple vulnerabilities in FFmpeg