adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Information Disclosure
Ffmpeg
Debian Linux
NVD
GitHub
CVSS 3.1
9.8
EPSS
2.4%