CVE-2014-8544
Description
FFmpeg before 2.4.2 fails to validate bits-per-pixel fields in TIFF files, allowing remote denial of service via out-of-bounds access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FFmpeg before 2.4.2 fails to validate bits-per-pixel fields in TIFF files, allowing remote denial of service via out-of-bounds access.
Vulnerability
FFmpeg versions before 2.4.2 contain a vulnerability in libavcodec/tiff.c where the bits-per-pixel fields in TIFF image metadata are not properly validated. This allows crafted TIFF data to trigger an out-of-bounds array access when processing the image. The issue affects all FFmpeg releases prior to 2.4.2, as well as the Libav library which derived from FFmpeg [2].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted TIFF file to an application using the vulnerable FFmpeg or Libav library. No authentication or special network position is required; the attack is remote via file ingestion. The malicious TIFF file sets an invalid bits-per-pixel value that leads to an out-of-bounds read or write when parsed by tiff.c. Successful exploitation may cause a crash (denial of service) or potentially allow further memory corruption.
Impact
The primary impact is denial of service via application crash due to an out-of-bounds access. However, because out-of-bounds accesses can sometimes be leveraged for unauthorized data disclosure or code execution, Ubuntu and Gentoo advisories assess the possibility of arbitrary code execution with the privileges of the user processing the file [2][4].
Mitigation
The vulnerability is fixed in FFmpeg version 2.4.2 and later. Users of FFmpeg should upgrade to at least this version. For Libav, the fix was included in the upstream release that addressed USN-2534-1 [2]. Gentoo users can update to >=media-video/ffmpeg-2.6.3 as per GLSA 201603-06 [4]. No workaround is available for unpatched versions; application-level sandboxing or input validation may reduce risk but not eliminate it.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
108cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*+ 105 more
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*range: <=2.4.1
- cpe:2.3:a:ffmpeg:ffmpeg:0.10:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.11.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.4.9:pre1:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ffmpeg:ffmpeg:2.4:*:*:*:*:*:*:*
- (no CPE)range: <2.4.2
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.