CVE-2025-59734

EPSS 0.02%
Veröffentlicht 06.10.2025 08:09:44
Zuletzt bearbeitet 06.10.2025 14:56:21
Quelle cve-coordination@google.com
Teams Watchlist Login
Unerledigt Login

It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion <2.

When a STOR chunk is present, a subsequent FOBJ chunk will be saved in ctx->stored_frame. Stored frames can later be referenced by FTCH chunks. For files using subversion < 2, the undecoded frame is stored, and decoded again when the FTCH chunks are parsed. However, in process_frame_obj if the frame has an invalid size, there’s an early return, with a value of 0.

This causes the code in decode_frame to still store the raw frame buffer into ctx->stored_frame. Leaving ctx->has_dimensions set to false.

A subsequent chunk with type FTCH would call process_ftch and decode that frame obj again, adding to the top/left values and calling process_frame_obj again.
Given that we never set ctx->have_dimensions before, this time we set the dimensions, calling init_buffers, which can reallocate the buffer in ctx->stored_frame, freeing the previous one. However, the GetByteContext object gb still holds a reference to the old buffer.

Finally, when the code tries to decode the frame, codecs that accept a GetByteContext as a parameter will trigger a use-after-free read when using gb.

GetByteContext is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the free and when the object is accessed. However, upon returning to process_ftch, the code restores the original values for top/left in stored_frame, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocator’s metadata.

This issue can be triggered just by probing whether a file has the sanm format.

We recommend upgrading to version 8.0 or beyond.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerFFmpeg

≫

Produkt FFmpeg

Default Statusunaffected

Version < 8.0

Version 4d7c609be37dc57d31527c8c9e5945dc9491a7cd

Status affected

Version < 8.0

Version 7.1.1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.026

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve-coordination@google.com	8.7	0	0	CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://b.corp.google.com/issues/440183164

https://nvd.nist.gov/vuln/detail/CVE-2025-59734

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59734

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59734

EUVD