Skip to main content

FFmpeg EUVDEUVD-2026-39969

| CVE-2026-58049 HIGH
Out-of-bounds Write (CWE-787)
2026-06-28 VulnCheck GHSA-mjxr-6gqf-w78h
8.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Remote crafted media reaches the decoder with no auth or UI in automated pipelines (AV:N/AC:L/PR:N/UI:N); OOB read gives limited C/I, while the heap OOB write primarily yields crash/corruption (A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 28, 2026 - 02:29 vuln.today
CVSS changed
Jun 28, 2026 - 02:22 NVD
8.6 (HIGH) 8.8 (HIGH)

DescriptionCVE.org

FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.

AnalysisAI

Out-of-bounds heap write in FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) allows attackers to corrupt memory when libavcodec decodes a crafted stream using the RASC FourCC. The decoder performs 32-bit reads/writes at the row cursor before the NEXT_LINE boundary check and validates DLTA regions in pixel rather than byte units, letting a DLTA run on a PAL8 frame write and read several bytes past the row allocation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft RASC stream with malicious DLTA run
Delivery
Deliver media to FFmpeg decoder
Exploit
decode_dlta processes PAL8 frame
Execution
Pixel/byte miscalc bypasses NEXT_LINE check
Persist
Heap out-of-bounds write and adjacent read
Impact
Memory corruption / potential code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires that libavcodec actually decode a stream using the RASC FourCC and reach the DLTA delta path on a PAL8 (8-bit palettized) frame - the bitstream-controlled DLTA run is what triggers the byte/pixel boundary miscalculation, so a non-RASC or non-PAL8 input will not reach the bug. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:L/VI:L/VA:H, base 8.8) models remote, low-complexity exploitation with no privileges or user interaction and high availability impact - consistent with automated server-side media processing that ingests untrusted files without a human opening them. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads or serves a crafted media file containing a RASC-FourCC stream with a malicious DLTA run targeting a PAL8 frame; when a victim media server auto-transcodes it (or a user opens it), decode_dlta writes past the row buffer, corrupting adjacent heap memory. Given AV:N/AC:L and no required privileges, this is straightforward to deliver remotely, and a public POC already exists, lowering the bar to reproduce a crash or memory-corruption condition.
Remediation No vendor-released patched version is identified in the provided data, so an exact fix version cannot be cited - monitor the FFmpeg project (libavcodec/rasc.c) and the VulnCheck advisory at https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dlta for the patched release and upgrade to it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running FFmpeg and determine which process untrusted video content (particularly RASC-encoded streams). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Ffmpeg

View all
CVE-2025-25469 MEDIUM POC
6.5 Feb 18

FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c. Rated

CVE-2025-25468 MEDIUM POC
6.5 Feb 18

FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c. Rated m

CVE-2025-1594 MEDIUM POC
5.3 Feb 23

A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. Rated medium severity (CVSS 5.3), this

CVE-2024-55069 MEDIUM POC
5.3 May 02

ffmpeg 7.1 is vulnerable to Null Pointer Dereference in function iamf_read_header in /libavformat/iamfdec.c. Rated mediu

CVE-2026-8461 HIGH
8.8 Jun 18

Out-of-bounds write in FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) affects all FFmpeg versions before 8

CVE-2025-1373 MEDIUM POC
4.8 Feb 17

A vulnerability was found in FFmpeg up to 7.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack comple

CVE-2025-22921 MEDIUM
6.5 Feb 18

FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/

CVE-2025-10256 MEDIUM
5.3 Feb 18

A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a

CVE-2026-40962 MEDIUM
4.9 Apr 16

Integer overflow in FFmpeg's CENC subsample data parsing (libavformat/mov.c) before version 8.1 enables out-of-bounds me

CVE-2025-0518 MEDIUM
4.8 Jan 16

Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable.

CVE-2024-36613 MEDIUM
6.2 Jan 03

FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potent

CVE-2024-35365 HIGH
8.8 Jan 03

FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically

Vendor StatusVendor

Debian

ffmpeg
Release Status Fixed Version Urgency
bullseye vulnerable 7:4.3.7-0+deb11u1 -
bullseye (security) vulnerable 7:4.3.9-0+deb11u2 -
bookworm vulnerable 7:5.1.8-0+deb12u1 -
bookworm (security) vulnerable 7:5.1.9-0+deb12u1 -
trixie vulnerable 7:7.1.3-0+deb13u1 -
trixie (security) vulnerable 7:7.1.5-0+deb13u1 -
forky, sid vulnerable 7:8.1.2-2 -
(unstable) fixed (unfixed) -

Share

EUVD-2026-39969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy