CVE-2024-35366

Name
CVE-2024-35366
Description
FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6
https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389
https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf

Match rules

CPE URI Source package Min version Max version
n/a == n/a == n/a
cpe:2.3:a:ffmpeg:ffmpeg:6.1.1:*:*:*:*:*:*:* ffmpeg == 6.1.1 == 6.1.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
ffmpeg 3.20-community 6.1.1-r8 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable