Integer Overflow Vulnerability in FFmpeg Affected by Common Encryption Subsample Data
CVE-2026-40962

4.9MEDIUM

Key Information:

Vendor: Ffmpeg
Status: Ffmpeg
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40962?

The vulnerability in FFmpeg prior to version 8.1 involves an integer overflow resulting in an out-of-bounds write. This issue specifically arises from the handling of Common Encryption (CENC) subsample data within the libavformat/mov.c module. Exploiting this vulnerability can potentially lead to unpredictable behavior or corruption of memory, emphasizing the need for users to upgrade to a secure version to mitigate risks.

Affected Version(s)

FFMpeg 4.1 < 8.1

References

https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40962 Data

JSON

Ffmpeg

What is CVE-2026-40962?

Affected Version(s)

References

CVSS V3.1

Timeline