CRITICAL🇵🇱 Wersja polska

CVE-2024-22862

CVSS 9.8v3.1pub. 2024-01-27upd. 2025-08-11

Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the JJPEG XL Parser.

🤖 AI Analysis
How it works

The bug is an integer overflow during processing of JPEG XL format files by FFmpeg's built-in parser. Incorrect size or index calculations can lead to memory management errors, which an attacker can exploit to gain control over the program's execution flow. The attack requires no authentication or user interaction — it is sufficient to provide a crafted file or media stream to an application using the vulnerable FFmpeg version.

Impact

An attacker can execute arbitrary code (RCE) in the context of the FFmpeg process, which in practice means the possibility of complete system takeover, data theft, or malicious software installation.

Mitigation & patch

FFmpeg should be updated to version n6.1 or later. The patch was introduced in commit ca09d8a0dcd82e3128e62463231296aaf63ae6f7 in the FFmpeg GitHub repository.

Who is affected

FFmpeg in all versions before n6.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ffmpeg

    APP
    Ffmpeg
    6.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-35368CRITICAL9.8PL ✓ten sam produkt

Double Free w FFmpeg — podatność w dekoderze RKMPP (libavcodec)

CVE-2024-35366CRITICAL9.1PL ✓ten sam produkt

FFmpeg: Integer Overflow w parse_options (sbgdec.c) — moduł libavformat

CVE-2024-35367CRITICAL9.1PL ✓ten sam produkt

FFmpeg: Out-of-bounds Read w dekoderze VP8 na architekturze PowerPC (AltiVec)

CVE-2024-31581CRITICAL9.8PL ✓ten sam produkt

FFmpeg: nieprawidłowa walidacja indeksu tablicy w dekodowaniu H.266

CVE-2024-22860CRITICAL9.8PL ✓ten sam produkt

Integer overflow w FFmpeg — RCE przez dekoder animacji JPEG XL