CVE-2024-35366

FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf	Third Party Advisory
https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389	Product
https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:ffmpeg:ffmpeg:6.1.1:*:*:*:*:*:*:*

History

03 Jun 2025, 16:03

Type	Values Removed	Values Added
References	~~() https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf -~~	() https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf - Third Party Advisory
References	~~() https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389 -~~	() https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389 - Product
References	~~() https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6 -~~	() https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6 - Patch
CPE		cpe:2.3:a:ffmpeg:ffmpeg:6.1.1:::::::*
First Time		Ffmpeg Ffmpeg ffmpeg

Information

Published : 2024-11-29 20:15

Updated : 2025-06-03 16:03

NVD link : CVE-2024-35366

Mitre link : CVE-2024-35366

CVE.ORG link : CVE-2024-35366

JSON object : View

Products Affected

ffmpeg

ffmpeg

CWE

CWE-190

Integer Overflow or Wraparound

9.1 /10