CVE-2025-69693 in FFmpeg
Summary
by MITRE • 03/16/2026
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability CVE-2025-69693 represents a critical out-of-bounds read flaw in the FFmpeg 8.0 and 8.0.1 video decoding pipeline specifically within the RV60 video decoder component. This issue stems from insufficient validation of the quantization parameter (qp) value during video frame processing, creating a scenario where maliciously crafted video content can trigger memory access violations. The flaw exists in the libavcodec/rv60dec.c file where the qp validation logic at line 2267 performs only a lower bound check (qp < 0) while completely omitting the necessary upper bound validation. This omission allows the qp value to potentially reach 65, which exceeds the valid array bounds of the rv60_qp_to_idx array that has a maximum size of 64 elements indexed from 0 to 63.
The technical implementation of this vulnerability manifests through multiple code paths that access the improperly validated qp value. Specifically, the out-of-bounds memory access occurs at three distinct locations within the decoder: lines 1554 in decode_cbp8, line 1655 in decode_cbp16, and lines 1419/1421 in get_c4x4_set functions. These locations demonstrate the cascading nature of the flaw where a single validation failure in the qp parameter propagation leads to multiple potential crash points throughout the decoding process. The vulnerability's exploitation potential increases significantly because the qp value can reach 65 through the combination of a base value of 63 from the 6-bit frame header, plus an additional offset of +2 from read_qp_offset, which exceeds the array's capacity. This type of memory access violation falls under the CWE-129 vulnerability category, specifically addressing improper validation of array indices, and aligns with ATT&CK technique T1203 by leveraging software vulnerabilities to achieve arbitrary code execution or system instability.
The operational impact of this vulnerability extends beyond simple crash conditions to potentially enable memory disclosure attacks that could expose sensitive information from the application's memory space. When the decoder attempts to access the rv60_qp_to_idx array with an index of 65, it reads from memory locations beyond the allocated array boundaries, creating opportunities for attackers to extract data that should remain confidential. The vulnerability affects FFmpeg versions 8.0 and 8.0.1 released on August 22, 2025, and November 20, 2025, respectively, making these versions particularly dangerous for applications that process untrusted video content. The previous partial fix implemented in commit 61cbcaf93f only addressed intra frames, leaving inter frames vulnerable to the same out-of-bounds read condition. This incomplete remediation demonstrates the complexity of video codec security and the challenges in properly validating parameter ranges that can influence multiple internal data structures. The vulnerability has been addressed in the git master branch through commit 8abeb879df, which will be included in the upcoming FFmpeg 8.1 release, providing a complete solution that validates both lower and upper bounds of the qp parameter across all frame types.
The fix implemented in the subsequent FFmpeg release demonstrates proper input validation practices by ensuring that the qp parameter value is constrained within the valid range of 0 to 63, matching exactly the size of the rv60_qp_to_idx array. This complete validation approach prevents the out-of-bounds memory access that could lead to system crashes or information disclosure. Security practitioners should prioritize updating to FFmpeg 8.1 or applying the relevant patch to mitigate this vulnerability, particularly in environments where FFmpeg processes untrusted video content from external sources. The vulnerability serves as a reminder of the critical importance of comprehensive input validation in multimedia processing libraries, where parameter validation failures can have cascading effects throughout complex decoding pipelines. Organizations relying on FFmpeg for video processing should conduct thorough testing to ensure that the updated version properly handles all video formats and edge cases while maintaining performance and compatibility with existing applications.