CVE-2025-59730 in FFmpeg
Summary
by MITRE • 10/06/2025
When decoding a frame for a SANM file (ANIM v0 variant), the decoded data can be larger than the buffer allocated for it.
Frames encoded with codec 48 can specify their resolution (width x height). A buffer of appropriate size is allocated depending on the resolution.
This codec can encode the frame contents using a run-length encoding algorithm. There are no checks that the decoded frame fits in the allocated buffer, leading to a heap-buffer-overflow.
process_frame_obj initializes the buffers based on the frame resolution:
We recommend upgrading to version 8.0 or beyond.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/21/2026
The vulnerability described in CVE-2025-59730 represents a critical heap buffer overflow condition within SANM file processing functionality, specifically affecting the ANIM v0 variant implementation. This issue manifests during the decoding process of frames that utilize codec 48, which employs run-length encoding algorithms for frame compression. The flaw stems from inadequate bounds checking during the decompression phase, creating a scenario where decoded data can exceed the allocated buffer boundaries.
The technical implementation of this vulnerability involves the process_frame_obj function which dynamically allocates memory buffers based on frame resolution parameters including width and height dimensions. When processing frames encoded with codec 48, the system calculates buffer sizes according to the specified resolution, but fails to validate whether the decompressed output will actually fit within these boundaries. This omission creates a direct pathway for heap corruption when run-length encoded data expands beyond allocated memory limits, potentially allowing attackers to overwrite adjacent memory regions.
From an operational security perspective, this vulnerability presents significant risks to systems processing SANM files, particularly in environments where untrusted input is handled. The heap buffer overflow condition can lead to arbitrary code execution, system instability, or denial of service scenarios. Attackers could exploit this weakness by crafting malicious SANM files with carefully constructed frame parameters that trigger the buffer overflow during decoding operations. The vulnerability aligns with CWE-121 heap-based buffer overflow classification and could be leveraged through ATT&CK technique T1059.007 for command and control operations.
The recommended mitigation strategy involves upgrading to version 8.0 or later, which presumably includes proper bounds checking mechanisms and memory validation routines. Additional defensive measures should include input validation for frame resolution parameters, implementation of strict buffer size verification before decompression operations, and deployment of memory safety features such as stack canaries or address sanitizer instrumentation. Organizations should also consider implementing file format validation and sandboxing mechanisms for processing untrusted SANM content to reduce the attack surface and prevent exploitation of this vulnerability.