Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote crafted media reaches the decoder with no auth or UI in automated pipelines (AV:N/AC:L/PR:N/UI:N); OOB read gives limited C/I, while the heap OOB write primarily yields crash/corruption (A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
AnalysisAI
Out-of-bounds heap write in FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) allows attackers to corrupt memory when libavcodec decodes a crafted stream using the RASC FourCC. The decoder performs 32-bit reads/writes at the row cursor before the NEXT_LINE boundary check and validates DLTA regions in pixel rather than byte units, letting a DLTA run on a PAL8 frame write and read several bytes past the row allocation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that libavcodec actually decode a stream using the RASC FourCC and reach the DLTA delta path on a PAL8 (8-bit palettized) frame - the bitstream-controlled DLTA run is what triggers the byte/pixel boundary miscalculation, so a non-RASC or non-PAL8 input will not reach the bug. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VC:L/VI:L/VA:H, base 8.8) models remote, low-complexity exploitation with no privileges or user interaction and high availability impact - consistent with automated server-side media processing that ingests untrusted files without a human opening them. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads or serves a crafted media file containing a RASC-FourCC stream with a malicious DLTA run targeting a PAL8 frame; when a victim media server auto-transcodes it (or a user opens it), decode_dlta writes past the row buffer, corrupting adjacent heap memory. Given AV:N/AC:L and no required privileges, this is straightforward to deliver remotely, and a public POC already exists, lowering the bar to reproduce a crash or memory-corruption condition. |
| Remediation | No vendor-released patched version is identified in the provided data, so an exact fix version cannot be cited - monitor the FFmpeg project (libavcodec/rasc.c) and the VulnCheck advisory at https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dlta for the patched release and upgrade to it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running FFmpeg and determine which process untrusted video content (particularly RASC-encoded streams). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c. Rated
FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c. Rated m
A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. Rated medium severity (CVSS 5.3), this
ffmpeg 7.1 is vulnerable to Null Pointer Dereference in function iamf_read_header in /libavformat/iamfdec.c. Rated mediu
Out-of-bounds write in FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) affects all FFmpeg versions before 8
A vulnerability was found in FFmpeg up to 7.1. Rated medium severity (CVSS 4.8), this vulnerability is low attack comple
FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/
A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a
Integer overflow in FFmpeg's CENC subsample data parsing (libavformat/mov.c) before version 8.1 enables out-of-bounds me
Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable.
FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potent
FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 7:4.3.7-0+deb11u1 | - |
| bullseye (security) | vulnerable | 7:4.3.9-0+deb11u2 | - |
| bookworm | vulnerable | 7:5.1.8-0+deb12u1 | - |
| bookworm (security) | vulnerable | 7:5.1.9-0+deb12u1 | - |
| trixie | vulnerable | 7:7.1.3-0+deb13u1 | - |
| trixie (security) | vulnerable | 7:7.1.5-0+deb13u1 | - |
| forky, sid | vulnerable | 7:8.1.2-2 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39969
GHSA-mjxr-6gqf-w78h