Use-After-Free Vulnerability in SANM Decoding in Vendor Product
CVE-2025-59734

8.7HIGH

Key Information:

Vendor: Ffmpeg
Status: Ffmpeg
Vendor: CVE Published:; 6 October 2025

What is CVE-2025-59734?

A vulnerability in the SANM decoding process allows for potential use-after-free write issues when handling animations in Vendor Product versions below 8.0. When a STOR chunk is present, subsequent FOBJ chunks can cause the code to reference frames with invalid sizes, leading to improper buffer handling. This results in a scenario where the memory allocated for a previously freed buffer is accessed, which could lead to data corruption and unexpected behaviors. To mitigate risks, it is crucial to upgrade to version 8.0 or higher.

Affected Version(s)

FFmpeg 4d7c609be37dc57d31527c8c9e5945dc9491a7cd < 8.0

FFmpeg 7.1.1 < 8.0

References

https://b.corp.google.com/issues/440183164

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 6, 2025
Vulnerability Reserved
Sep 19, 2025

Credit

Google Big Sleep

JSON

Ffmpeg

What is CVE-2025-59734?

Affected Version(s)

References

CVSS V4

Timeline

Credit