Unrated severityNVD Advisory· Published Apr 24, 2015· Updated May 6, 2026

CVE-2015-3417

Description

Use-after-free in FFmpeg before 2.3.6 via crafted H.264 data in MP4 files allows denial of service or potential code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in FFmpeg before 2.3.6 via crafted H.264 data in MP4 files allows denial of service or potential code execution.

Vulnerability

Use-after-free vulnerability in ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6. The bug occurs when freeing H.264 context tables; after freeing, the delayed_pic array is not cleared, leading to a use-after-free condition. Triggered by crafted H.264 data in an MP4 file. [1][3]

Exploitation

An attacker can exploit this by crafting an MP4 file containing malicious H.264 data. The victim must open the file with an application linked to FFmpeg (e.g., browser `` element). No authentication required; remote exploitation possible. The vulnerability is triggered during deallocation when processing the crafted input. [1][2]

Impact

Successful exploitation can cause a denial of service (application crash) or possibly arbitrary code execution with the privileges of the application. The exact impact may vary depending on memory layout and protections. [1][2]

Mitigation

Fixed in FFmpeg version 2.3.6 via commit e8714f6. Users should upgrade to FFmpeg 2.3.6 or later. For systems using libav, upgrade to version 11.8 or later as per Gentoo GLSA 201705-08. No known workaround. [2][3]

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

FFmpeg/Ffmpeg2 versions
cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*range: <=2.3.5
- (no CPE)range: <2.3.6
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
osv-coords
pkg:rpm/opensuse/libav-tools&distro=openSUSE%20Tumbleweed
Range: < 12.3-1.17

Patches

e8714f6f93d1

avcodec/h264: Clear delayed_pic on deallocation

https://github.com/FFmpeg/FFmpegMichael NiedermayerDec 17, 2014via body-scan

commit

1 file changed · +1 −0

libavcodec/h264.c+1 −0 modified

@@ -391,6 +391,7 @@ void ff_h264_free_tables(H264Context *h, int free_rbsp)
     if (free_rbsp && h->DPB) {
         for (i = 0; i < H264_MAX_PICTURE_COUNT; i++)
             ff_h264_unref_picture(h, &h->DPB[i]);
+        memset(h->delayed_pic, 0, sizeof(h->delayed_pic));
         av_freep(&h->DPB);
     } else if (h->DPB) {
         for (i = 0; i < H264_MAX_PICTURE_COUNT; i++)

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

github.com/FFmpeg/FFmpeg/commit/e8714f6f93d1a32f4e4655209960afcf4c185214nvdPatchVendor Advisory
seclists.org/fulldisclosure/2015/Apr/31nvdThird Party AdvisoryVDB Entry
www.debian.org/security/2015/dsa-3288nvdThird Party Advisory
www.securityfocus.com/bid/74385nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1032198nvdThird Party AdvisoryVDB Entry
git.libav.orgnvd
security.gentoo.org/glsa/201705-08nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000