CVE Number – CVE-2019-11338
A vulnerability in the libavcodec/hevcdex.c source code of FFmpeg could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability exists because the affected software incorrectly detects duplicate first slices in the libavacodec/hevcdec.c source file. An attacker could exploit this vulnerability by supplying a crafted High Efficiency Video Coding (HEVC) file to the affected system. A successful exploit could allow the attacker to trigger a NULL pointer dereference error that could result in a DoS condition or other unpsecified impacts on the targeted system.FFmpeg has confirmed this vulnerability and released a software patch.
- To exploit this vulnerability, an attacker would need network access and the ability to supply the targeted system with a crafted HEVC file. These requirements could reduce the likelihood of a successful exploit.
- Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.
- FFmpeg has posted a security issue at the following link: Duplicate First Slices
- FFmpeg has posted a patch at the following link: Duplicate First Slices Patch