CRITICAL🇵🇱 Wersja polska

CVE-2024-31581

CVSS 9.8v3.1pub. 2024-04-17upd. 2025-11-04

FFmpeg version n6.1 was discovered to contain an improper validation of array index vulnerability in libavcodec/cbs_h266_syntax_template.c. This vulnerability allows attackers to cause undefined behavior within the application.

🤖 AI Analysis
How it works

The vulnerability results from lack of proper verification of the index value before using it to access an array element in the code handling H.266/VVC syntax. An attacker can provide specially crafted input data (e.g., malicious media file) that leads to reading or writing outside array bounds. This results in undefined behavior of the application, which can be further exploited.

Impact

An attacker can cause undefined behavior in the application, potentially resulting in data disclosure, integrity violation, or denial of service — high impact on system confidentiality, integrity, and availability.

Mitigation & patch

FFmpeg should be updated to version n6.1.1 or later, in which the bug has been fixed (commit ce0c178a408d43e71085c28a47d50dc939b60196). Fedora distribution users should apply package updates according to announcements published on Fedora mailing lists.

Who is affected

FFmpeg in version n6.1 and Fedora distributions containing this version of FFmpeg package

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fedora Project Fedora

    OS
    Fedoraproject
    383940
  • Ffmpeg

    APP
    Ffmpeg
    6.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-4577CRITICAL9.8⚠ KEVPL ✓ten sam produkt

PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML

CVE-2024-4947CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)

CVE-2024-4671CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox

CVE-2023-6345CRITICAL9.6⚠ KEVPL ✓ten sam produkt

Integer overflow w Skia w Google Chrome — sandbox escape