Vendor

FFmpeg

FFmpeg is a free and open-source software project consisting of a suite of libraries and programs for handling video, audio, and other multimedia files and streams. At its core is the command-line ffmpeg tool itself, designed for processing video and audio files. It is widely used for format transcoding, basic editing, video scaling, video post-production effects, and standards compliance.

Founded 2000

Products

CVEs

263

Across products

7,681

Status

Private

Products

Ffmpeg
7,678 CVEs
Lavf Demuxer
1 CVE
Libavcodec
1 CVE
Libswresample
1 CVE

Recent CVEs

263

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-16840	Cri	0.64	9.8	0.02	Nov 21, 2017	The VC-2 Video Compression encoder in FFmpeg 3.0 and 3.4 allows remote attackers to cause a denial of service (out-of-bounds read) because of incorrect buffer padding for non-Haar wavelets, related to libavcodec/vc2enc.c and libavcodec/vc2enc_dwt.c.
CVE-2013-0870	Cri	0.64	9.8	0.00	Aug 28, 2017	The 'vp3_decode_frame' function in FFmpeg 1.1.4 moves threads check out of header packet type check.
CVE-2012-2781	Cri	0.64	9.8	0.00	Aug 9, 2017	Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, and CVE-2012-2780.
CVE-2012-2780	Cri	0.64	9.8	0.00	Aug 9, 2017	Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, and CVE-2012-2781.
CVE-2012-2778	Cri	0.64	9.8	0.00	Aug 9, 2017	Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2773, CVE-2012-2780, and CVE-2012-2781.
CVE-2012-2773	Cri	0.64	9.8	0.00	Aug 9, 2017	Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2778, CVE-2012-2780, and CVE-2012-2781.
CVE-2012-2771	Cri	0.64	9.8	0.00	Aug 9, 2017	Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2773, CVE-2012-2778, CVE-2012-2780, and CVE-2012-2781.
CVE-2017-7866	Cri	0.64	9.8	0.01	Apr 14, 2017	FFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c.
CVE-2017-7865	Cri	0.64	9.8	0.01	Apr 14, 2017	FFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c.
CVE-2017-7863	Cri	0.64	9.8	0.01	Apr 14, 2017	FFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c.
CVE-2017-7862	Cri	0.64	9.8	0.02	Apr 14, 2017	FFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c.
CVE-2017-7859	Cri	0.64	9.8	0.01	Apr 14, 2017	FFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c.
CVE-2016-10192	Cri	0.64	9.8	0.05	Feb 9, 2017	Heap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check chunk size.
CVE-2016-10191	Cri	0.64	9.8	0.08	Feb 9, 2017	Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches.
CVE-2016-10190	Cri	0.64	9.8	0.10	Feb 9, 2017	Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote web servers to execute arbitrary code via a negative chunk size in an HTTP response.
CVE-2017-14767	Hig	0.57	8.8	0.01	Sep 27, 2017	The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in FFmpeg before 3.3.4 mishandles empty sprop-parameter-sets values, which allows remote attackers to cause a denial of service (heap buffer overflow) or possibly have unspecified other impact via a crafted sdp file.
CVE-2017-14225	Hig	0.57	8.8	0.00	Sep 9, 2017	The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.)
CVE-2017-14169	Hig	0.57	8.8	0.00	Sep 7, 2017	In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, an integer signedness error might occur when a crafted file, which claims a large "item_num" field such as 0xffffffff, is provided. As a result, the variable "item_num" turns negative, bypassing the check for a large value.
CVE-2017-9992	Hig	0.57	8.8	0.01	Jun 28, 2017	Heap-based buffer overflow in the decode_dds1 function in libavcodec/dfa.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file.
CVE-2017-9990	Hig	0.57	8.8	0.01	Jun 28, 2017	Stack-based buffer overflow in the color_string_to_rgba function in libavcodec/xpmdec.c in FFmpeg 3.3 before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file.