Skip to main content

CVE-2026-30997

| EUVDEUVD-2026-21972 HIGH
Out-of-bounds Read (CWE-125)
2026-04-13 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch released
Apr 19, 2026 - 02:30 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:29 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 15:15 euvd
EUVD-2026-21972
Analysis Generated
Apr 13, 2026 - 15:15 vuln.today
CVE Published
Apr 13, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

AnalysisAI

Out-of-bounds read in FFmpeg 8.0.1's AV1 decoder allows remote denial-of-service via malicious video files. Attackers craft inputs targeting read_global_param() in libavcodec/av1dec.c to trigger memory access violations, crashing the decoder. Affects applications processing untrusted AV1 video content (media servers, transcoders, browsers with FFmpeg). CVSS 7.5 (High) reflects network-exploitable DoS; EPSS 0.04% indicates low observed exploitation probability. No active exploitation confirmed (n

Technical ContextAI

FFmpeg is a widely-deployed multimedia framework handling video/audio encoding, decoding, and streaming. This vulnerability resides in the AV1 codec decoder (libavcodec/av1dec.c), specifically the read_global_param() function responsible for parsing AV1 global motion parameters during bitstream decoding. CWE-125 (Out-of-bounds Read) indicates the function accesses memory beyond allocated buffer boundaries when processing malformed AV1 global parameter data structures. AV1 (AOMedia Video 1) is a modern royalty-free codec increasingly used in streaming platforms. The parser fails to validate parameter indices or lengths before memory access, allowing crafted bitstreams to trigger reads from unmapped regions. Affected product identified as FFmpeg version 8.0.1 (released 2025), though CPE data is incomplete (cpe:2.3:a:n/a:n/a suggests product enumeration pending). The vulnerability is decoder-side, meaning exploitation occurs during media processing rather than encoding.

RemediationAI

Upgrade FFmpeg to the latest stable release addressing CVE-2026-30997. At time of analysis, specific patched version number is not confirmed in available advisories; consult FFmpeg project announcements at https://github.com/FFmpeg/FFmpeg for release notes identifying the fix commit. Organizations unable to upgrade immediately should implement input validation controls: restrict AV1 decoding to trusted content sources, disable AV1 codec support if not operationally required (compile-time flag --disable-decoder=av1 or runtime codec blocking), and deploy media processing sandboxes to contain DoS impact. For public-facing services, implement rate limiting and resource quotas on video processing endpoints to mitigate automated DoS attempts. Monitor FFmpeg project security advisories and CVE references at https://nvd.nist.gov/vuln/detail/CVE-2026-30997 and https://vuldb.com/vuln/357171 for patch availability updates. Downstream application vendors (browser manufacturers, media player developers) should coordinate with FFmpeg project timelines and issue synchronized updates.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-30997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy