CVE-2024-7055

06.08.2024, 06:15

A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
VulDB	CNA	6.3 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Debian Releases

Debian Product

Codename

ffmpeg

bullseye	vulnerable
bullseye (security)	7:4.3.8-0+deb11u3 fixed
bookworm	7:5.1.6-0+deb12u1 fixed
bookworm (security)	7:5.1.6-0+deb12u1 fixed
sid	7:7.1.1-1 fixed
trixie	7:7.1.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

ffmpeg

plucky	not-affected
oracular	not-affected
noble	needed
jammy	needed
focal	not-affected
bionic	not-affected
xenial	not-affected

libav

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
trusty	needs-triage

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References

https://ffmpeg.org/

https://ffmpeg.org/download.html

https://github.com/CookedMelon/ReportCVE/tree/main/FFmpeg/poc3

https://vuldb.com/?ctiid.273651

https://vuldb.com/?id.273651

https://vuldb.com/?submit.376532