ffmpeg QuickTime RPZA Video Encoder libavcodec/rpzaenc.c y_size out-of-bounds

A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. The CWE definition for the vulnerability is CWE-125. The weakness was presented 11/13/2022 as 92f9b28ed84a77138105475beba16c146bdaf984. It is possible to read the advisory at git.ffmpeg.org. This vulnerability is uniquely identified as CVE-2022-3964. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The pricing for an exploit might be around USD $0-$5k at the moment. It is declared as not defined. We expect the 0-day to have been worth approximately $0-$5k. The patch is named 92f9b28ed84a77138105475beba16c146bdaf984. The bugfix is ready for download at git.ffmpeg.org. It is recommended to apply a patch to fix this issue. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

Field11/13/2022 08:4012/17/2022 14:10
nameffmpegffmpeg
componentQuickTime RPZA Video EncoderQuickTime RPZA Video Encoder
filelibavcodec/rpzaenc.clibavcodec/rpzaenc.c
argumenty_sizey_size
cwe125 (out-of-bounds)125 (out-of-bounds)
risk11
cvss3_vuldb_avNN
cvss3_vuldb_acLL
cvss3_vuldb_prNN
cvss3_vuldb_uiRR
cvss3_vuldb_sUU
cvss3_vuldb_cNN
cvss3_vuldb_iNN
cvss3_vuldb_aLL
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
identifier92f9b28ed84a77138105475beba16c146bdaf98492f9b28ed84a77138105475beba16c146bdaf984
urlhttps://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984
namePatchPatch
patch_name92f9b28ed84a77138105475beba16c146bdaf98492f9b28ed84a77138105475beba16c146bdaf984
patch_urlhttps://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984
cveCVE-2022-3964CVE-2022-3964
responsibleVulDBVulDB
typeMultimedia Processing SoftwareMultimedia Processing Software
cvss2_vuldb_avNN
cvss2_vuldb_acLL
cvss2_vuldb_auNN
cvss2_vuldb_ciNN
cvss2_vuldb_iiNN
cvss2_vuldb_aiPP
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_eNDND
cvss3_vuldb_eXX
cvss2_vuldb_basescore5.05.0
cvss2_vuldb_tempscore4.44.4
cvss3_vuldb_basescore4.34.3
cvss3_vuldb_tempscore4.14.1
cvss3_meta_basescore4.34.3
cvss3_meta_tempscore4.14.1
price_0day$0-$5k$0-$5k
date1668294000 (11/13/2022)1668294000 (11/13/2022)
cve_assigned1668294000 (11/13/2022)
cve_nvd_summaryA vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543.

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!