VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 20, 2012· Updated Apr 29, 2026

CVE-2011-3952

CVE-2011-3952

Description

The decode_init function in kmvc.c in libavcodec in FFmpeg before 0.10 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large palette size in a KMVC encoded file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

64
  • FFmpeg/Ffmpeg45 versions
    cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*+ 44 more
    • cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*range: <=0.9.1
    • cpe:2.3:a:ffmpeg:ffmpeg:0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.4.9:pre1:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.11:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.12:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.10:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.11:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.8.8:*:*:*:*:*:*:*
    • cpe:2.3:a:ffmpeg:ffmpeg:0.9:*:*:*:*:*:*:*
    • (no CPE)range: <0.10
  • Libav/Libav19 versions
    cpe:2.3:a:libav:libav:0.5:*:*:*:*:*:*:*+ 18 more
    • cpe:2.3:a:libav:libav:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7:beta1:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.7:beta2:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:libav:libav:0.8:beta2:*:*:*:*:*:*
    • (no CPE)range: <0.5.9, >=0.6 <0.6.6, >=0.7 <0.7.6, >=0.8 <0.8.1

Patches

Vulnerability mechanics

Root cause

"Missing input validation on palette size in decode_init allows a large value to cause memory corruption."

Attack vector

An attacker crafts a KMVC encoded file with an excessively large palette size value. When a victim processes this file using an affected version of FFmpeg or Libav, the `decode_init` function in `kmvc.c` uses the unsanitized palette size without proper bounds checking [CWE-20]. This can cause an application crash (denial of service) and potentially allow arbitrary code execution.

Affected code

The vulnerability resides in the `decode_init` function in `kmvc.c` within `libavcodec` in FFmpeg before version 0.10 and in various versions of Libav. The function fails to validate the palette size specified in a KMVC encoded file before using it.

What the fix does

The patch is not included in the bundle, but the advisory indicates the fix was applied in FFmpeg 0.10 and in Libav 0.5.9, 0.6.6, 0.7.6, and 0.8.1. The remediation adds proper input validation to check the palette size against acceptable bounds before it is used in memory operations, closing the vulnerability by ensuring oversized values are rejected [CWE-20].

Preconditions

  • configThe victim must use an affected version of FFmpeg (before 0.10) or Libav (0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, or 0.8.x before 0.8.1)
  • inputThe attacker must deliver a KMVC encoded file with a crafted large palette size to the victim for processing

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.