First published: Tue Mar 12 2019(Updated: )
In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
FFmpeg FFmpeg | =3.2 | |
FFmpeg FFmpeg | =4.1 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Canonical Ubuntu Linux | =19.04 | |
debian/ffmpeg | 7:4.3.7-0+deb11u1 7:4.3.8-0+deb11u1 7:5.1.6-0+deb12u1 7:7.1-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for the FFmpeg vulnerability is CVE-2019-9718.
The severity of CVE-2019-9718 is medium (CVSS score: 6.5).
The vulnerability in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format.
FFmpeg versions 3.2 and 4.1 are affected by CVE-2019-9718.
You can find more information about CVE-2019-9718 at the following references: [1](http://www.securityfocus.com/bid/107382), [2](https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982), [3](https://github.com/FFmpeg/FFmpeg/commit/23ccf3cabb4baf6e8af4b1af3fcc59c904736f21).