High severity7.5NVD Advisory· Published Jun 28, 2017· Updated May 13, 2026

CVE-2017-9993

Description

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Affected products

FFmpeg/Ffmpeg
cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
Range: <2.8.12
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021nvdIssue TrackingPatchThird Party Advisory
github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abbnvdIssue TrackingPatchThird Party Advisory
www.debian.org/security/2017/dsa-3957nvdThird Party Advisory
www.securityfocus.com/bid/99315nvdThird Party AdvisoryVDB Entry
lists.debian.org/debian-lts-announce/2019/01/msg00006.htmlnvdMailing ListThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.045
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000