Skip to main content

EUVDEUVD-2026-21974

| CVE-2026-30998 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-13 mitre GHSA-83ph-9qxx-hfjx
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch released
Apr 19, 2026 - 02:30 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:30 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
7.5 (None) 7.5 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 15:15 euvd
EUVD-2026-21974
Analysis Generated
Apr 13, 2026 - 15:15 vuln.today
CVE Published
Apr 13, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.

AnalysisAI

Resource deallocation flaw in FFmpeg 8.0.1's zmqsend.c utility enables remote denial of service through crafted input files. Attackers can trigger improper cleanup of allocated resources without authentication (CVSS AV:N/AC:L/PR:N/UI:N), exhausting system resources. EPSS score of 0.04% (11th percentile) indicates low real-world exploitation probability, and no active exploitation confirmed (not in CISA KEV). The vulnerability affects a non-core utility component used for ZeroMQ message sending, limiting practical attack surface compared to main FFmpeg libraries.

Technical ContextAI

The vulnerability resides in tools/zmqsend.c, a command-line utility within FFmpeg for sending messages via ZeroMQ (a high-performance asynchronous messaging library). The root cause is CWE-400 (Uncontrolled Resource Consumption), manifesting as improper resource deallocation and closure. When processing specially crafted input files, the zmqsend utility fails to properly release allocated memory, file handles, or network resources, leading to resource exhaustion. This is distinct from FFmpeg's core video/audio processing libraries (libavcodec, libavformat) and affects a standalone tool primarily used in testing or integration scenarios. The CPE data lists 'n/a' for vendor/product, reflecting ambiguity in vulnerability database indexing, but the affected component is definitively FFmpeg's zmqsend utility as confirmed by source code references.

RemediationAI

No vendor-released patch identified at time of analysis. The references point to existing source code (github.com/FFmpeg/FFmpeg/blob/master/tools/zmqsend.c and doxygen documentation) rather than fix commits or security advisories. Organizations should monitor FFmpeg's official security mailing list and GitHub repository for forthcoming patches addressing CVE-2026-30998. Immediate mitigations include: (1) disable or remove zmqsend utility from production environments if not operationally required, (2) implement strict input validation and sanitization if zmqsend must process external files, (3) apply resource limits (ulimit, cgroups) to constrain memory/file descriptor consumption when invoking zmqsend, (4) isolate zmqsend execution in sandboxed environments with restricted privileges. For detailed vulnerability analysis, review the researcher disclosure at excellent-oatmeal-319.notion.site. Track NVD entry nvd.nist.gov/vuln/detail/CVE-2026-30998 for updated remediation guidance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

EUVD-2026-21974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy