CVE-2019-16352
Description
ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in ffjpeg jfif_load() before 2019-08-21 allows denial of service via crafted input.
Vulnerability
A heap-based buffer overflow vulnerability exists in the jfif_load() function in jfif.c of ffjpeg before the commit of 2019-08-21 (master 627c8a9). The overflow occurs when processing a crafted JPEG file as input to the decoder [1]. The vulnerable code path is reachable when ffjpeg is invoked with the -d option to decode a file [1].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted JPEG file to the ffjpeg decoder [1]. No authentication or special privileges are required; the attacker only needs to make the victim run ./ffjpeg -d $POC, where $POC is the malicious file [1]. The issue was reproduced on Ubuntu 14.04, 64-bit [1].
Impact
Successful exploitation results in a heap buffer overflow, which typically causes a crash (denial of service) and may potentially allow arbitrary code execution or information disclosure depending on the memory layout [1]. The AddressSanitizer report shows a write of 4 bytes at an out-of-bounds address [1].
Mitigation
As of the publication date (2019-09-16), no fixed version of ffjpeg has been released [1]. Users should avoid decoding untrusted JPEG files with ffjpeg until a patch is available. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ffjpeg/ffjpegdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/rockcarry/ffjpeg/issues/12mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.