Use-After-Free Vulnerability in FFmpeg Affecting VLC Media Player
CVE-2022-48434

8.1HIGH

Key Information:

Vendor: Ffmpeg
Status: Ffmpeg
Vendor: CVE Published:; 29 March 2023

What is CVE-2022-48434?

A use-after-free vulnerability exists in the FFmpeg library, specifically in the libavcodec component. This flaw arises in worker threads due to lingering hardware acceleration states, which can be exploited by attackers. Under certain conditions, such as changes during video playback that require hardware re-initialization, this vulnerability can lead to arbitrary code execution. It's important for users of VLC and other media applications leveraging affected FFmpeg versions to stay informed and apply security patches promptly.

References

https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c0...

https://news.ycombinator.com/item?id=35356201

https://wrv.github.io/h26forge.pdf

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 29, 2023
Vulnerability Reserved
Mar 29, 2023

Ffmpeg

What is CVE-2022-48434?

References

CVSS V3.1

Timeline