NewsSecurity Vulnerabilities

FFmpeg libavcodec/hevcdec.c NULL Pointer Dereference Denial of Service Vulnerability [CVE-2019-11338]

CVE Number – CVE-2019-11338

A vulnerability in the libavcodec/hevcdex.c source code of FFmpeg could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability exists because the affected software incorrectly detects duplicate first slices in the libavacodec/hevcdec.c source file. An attacker could exploit this vulnerability by supplying a crafted High Efficiency Video Coding (HEVC) file to the affected system. A successful exploit could allow the attacker to trigger a NULL pointer dereference error that could result in a DoS condition or other unpsecified impacts on the targeted system.FFmpeg has confirmed this vulnerability and released a software patch.

Analysis

  • To exploit this vulnerability, an attacker would need network access and the ability to supply the targeted system with a crafted HEVC file. These requirements could reduce the likelihood of a successful exploit.

Safeguards

  • Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.

Vendor Announcements

Fixed Software

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.