A vulnerability was found in FFmpeg 4.1 (Multimedia Processing Software). It has been declared as problematic. Affected by this vulnerability is an unknown code block of the file libavcodec/cbs_av1.c. The manipulation with an unknown input leads to a array index vulnerability. The CWE definition for the vulnerability is CWE-129. The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. As an impact it is known to affect availability. The summary by CVE is:

FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array Index vulnerability in libavcodec/cbs_av1.c that can result in Denial of service. This attack appears to be exploitable via specially crafted AV1 file has to be provided as input. This vulnerability appears to have been fixed in after commit b97a4b658814b2de8b9f2a3bce491c002d34de31.

The bug was discovered 12/02/2018. The weakness was released 02/04/2019. This vulnerability is known as CVE-2019-1000016 since 02/04/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability was handled as a non-public zero-day exploit for at least 64 days. During that time the estimated underground price was around $0-$5k.

Applying the patch b97a4b658814b2de8b9f2a3bce491c002d34de31 is able to eliminate this problem.

Productinfo

Type

• Multimedia Processing Software

Name

• FFmpeg

Version

• 4.1

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion