First published: Tue Mar 12 2019(Updated: )
A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
FFmpeg FFmpeg | =3.2 | |
FFmpeg FFmpeg | =4.1 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Canonical Ubuntu Linux | =19.04 | |
debian/ffmpeg | 7:4.3.7-0+deb11u1 7:4.3.8-0+deb11u1 7:5.1.6-0+deb12u1 7:7.1-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2019-9721.
The severity level of CVE-2019-9721 is medium, with a severity value of 6.5.
FFmpeg versions 3.2 and 4.1 are affected by CVE-2019-9721.
An attacker can exploit CVE-2019-9721 by using a crafted video file in Matroska format to hog the CPU through the subtitle decoder in FFmpeg.
Yes, you can find references for CVE-2019-9721 at the following links: - http://www.securityfocus.com/bid/107384 - https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65 - https://github.com/FFmpeg/FFmpeg/commit/273f2755ce8635d42da3cde0eeba15b2e7842774