CVE-2025-69693

EUVD-2025-208761
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 3.7%
Affected Products (NVD)
VendorProductVersion
ffmpegffmpeg
8.0
ffmpegffmpeg
8.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ffmpeg
bookworm
7:5.1.8-0+deb12u1
fixed
bookworm (security)
7:5.1.8-0+deb12u1
fixed
bullseye
7:4.3.7-0+deb11u1
fixed
bullseye (security)
7:4.3.9-0+deb11u2
fixed
forky
7:8.1-3
fixed
sid
7:8.1-3
fixed
trixie
7:7.1.3-0+deb13u1
fixed
trixie (security)
7:7.1.3-0+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libav
jammy
dne
noble
dne
questing
dne
trusty
not-affected
ffmpeg
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
questing
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/FFmpeg/FFmpeg/commit/8abeb879df66ea8d27ce1735925ced5a30813de4
https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0
https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0.1