CVE-2024-36615

Dec. 3, 2024, 4:15 p.m.

5.9
Medium

Description

FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.

Product(s) Impacted

Product Versions
FFmpeg
  • ['7.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb
https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738
https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61

Tags

cve@mitre.org
CWE-362
2024-11-29
CVE-2024-36615

CVSS Score

5.9 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    View Vector String

Timeline

Published: Nov. 29, 2024, 7:15 p.m.
Last Modified: Dec. 3, 2024, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.