FFmpeg Media Handling Flaw Allows Potential Code Execution via Malicious Subtitles
CVE-2026-6385

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Lightspeed Core; Red Hat Ai Inference Server; Red Hat Enterprise Linux Ai (rhel Ai) 3; Red Hat Openshift Ai (rhoai)
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-6385?

A flaw in FFmpeg allows remote attackers to exploit a vulnerability involving specifically crafted MPEG-PS/VOB media files that contain a malicious DVD subtitle stream. This is due to a signed integer overflow in the DVD subtitle parser's bounds checks during fragment reassembly, which can lead to a heap out-of-bounds write. If successfully exploited, this can result in a denial of service through application crashes and may also facilitate arbitrary code execution.

References

https://access.redhat.com/security/cve/CVE-2026-6385

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2458764

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Red Hat would like to thank Quang Luong (Calif.io in collaboration with OpenAI Codex) for reporting this issue.

CVE-2026-6385 Data

JSON