Skip to main content

FFmpeg EUVDEUVD-2026-38004

| CVE-2026-12706 MEDIUM
Use After Free (CWE-416)
2026-06-19 redhat GHSA-qh4m-69pj-9vc2
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-delivered file with mandatory user interaction; impact is crash-only (no code execution), so C:N/I:N/A:H with no scope change.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 11:51 vuln.today
CVE Published
Jun 19, 2026 - 10:55 cve.org
MEDIUM 6.5

DescriptionCVE.org

A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).

AnalysisAI

Use-after-free in FFmpeg's RASC video decoder exposes Red Hat Enterprise Linux AI 3 and Red Hat OpenShift AI deployments to denial-of-service attacks via crafted media files. The decode_move() function retains a raw pointer into a heap-allocated decompressed buffer that is subsequently reallocated during move-table processing, leaving the pointer dangling; reading through it crashes the process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious AVI file with RASC stream
Delivery
Deliver file to victim via network (email, web, shared storage)
Exploit
Victim opens or ingests file triggering FFmpeg decode_move()
Execution
Buffer reallocation during move-table processing invalidates read pointer
Persist
Decoder reads from freed heap memory
Impact
Application crash (denial of service)

Vulnerability AssessmentAI

Exploitation The victim must open or play a specially crafted AVI container file that embeds a malicious RASC video stream; this is the explicit trigger described in the CVE. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) is consistent with the described vulnerability: network delivery of a malicious file with no authentication prerequisite, but requiring a user to open it (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious AVI file embedding a RASC video stream whose move-table data is designed to trigger a buffer reallocation during decode_move() processing, invalidating the read pointer. The file is delivered to a victim - for example, via email attachment, shared storage, or a web link - and when the victim opens it in a media player or application backed by the affected FFmpeg build, the decoder crashes, terminating the process. …
Remediation Apply the vendor-supplied fix from Red Hat as documented at https://access.redhat.com/security/cve/CVE-2026-12706; the exact patched package version is not independently confirmed from the available data and should be verified directly in that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Not-Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

EUVD-2026-38004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy