CVE-2024-1580

Name
CVE-2024-1580
Description
An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
cve-coordination@google.com https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS
cve-coordination@google.com https://code.videolan.org/videolan/dav1d/-/releases/1.4.0
cve-coordination@google.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EPMUNDMEBGESOJ2ZNCWYEAYOOEKNWOO/
cve-coordination@google.com https://support.apple.com/kb/HT214093
cve-coordination@google.com https://support.apple.com/kb/HT214095
cve-coordination@google.com https://support.apple.com/kb/HT214096
cve-coordination@google.com https://support.apple.com/kb/HT214097
cve-coordination@google.com https://support.apple.com/kb/HT214098
cve-coordination@google.com https://support.apple.com/kb/HT214094
cve-coordination@google.com http://seclists.org/fulldisclosure/2024/Mar/36
cve-coordination@google.com http://seclists.org/fulldisclosure/2024/Mar/37
cve-coordination@google.com http://seclists.org/fulldisclosure/2024/Mar/38
cve-coordination@google.com http://seclists.org/fulldisclosure/2024/Mar/39
cve-coordination@google.com http://seclists.org/fulldisclosure/2024/Mar/40
cve-coordination@google.com http://seclists.org/fulldisclosure/2024/Mar/41

Match rules

CPE URI Source package Min version Max version
dav1d >= 0 < 1.4.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
dav1d 3.19-main 1.3.0-r1 Bart Ribbers <bribbers@disroot.org> fixed
dav1d 3.18-main 1.2.1-r0 Bart Ribbers <bribbers@disroot.org> possibly vulnerable
dav1d 3.17-main 1.0.0-r2 Bart Ribbers <bribbers@disroot.org> possibly vulnerable