CVE-2025-59729

EPSS 0.02%
Veröffentlicht 06.10.2025 08:08:46
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle cve-coordination@google.com
CVE-Watchlists
Login
Unerledigt
Login

Heap-buffer-overflow read in FFmpeg DHAV get_duration

When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.

If we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.

The loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate end_pos based on a 32-bit offset read from the buffer.

There is subsequently a check [3] that end_pos is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos is before the start of the file or after the section copied into end_buffer, and not the case where end_pos is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.

We recommend upgrading to version 8.0 or beyond.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerFFmpeg

≫

Produkt FFmpeg

Default Statusunaffected

Version a218cafe4d3be005ab0c61130f90db4d21afb5db

Version < 8.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.063

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve-coordination@google.com	5.7	0	0	CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://issuetracker.google.com/433513232

https://nvd.nist.gov/vuln/detail/CVE-2025-59729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59729

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-59729