A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5. This affects the function fill_audiodata of the file /libswresample/swresample.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. This issue was fixed in version 6.0 by 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 but a backport for 5.1 was forgotten. The exploit has been disclosed to the public and may be used. Upgrading to version 5.1.6 and 6.0 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 is able to address this issue. It is recommended to upgrade the affected component.
Conclusion & alert: CVE-2024-7272 is rated High Exploit Risk (65.2/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.13%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.28% | 1.13% | +0.85% |
| 2 | 2026-04-05 | 0.19% | 0.28% | +0.09% |
| 3 | 2025-11-21 | — | 0.19% | — |
Full EPSS history (16 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.9 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 6.3 | 3.1 | MEDIUM |
|
2.8 | 3.4 | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 7.5 | 2.0 | HIGH |
|
10.0 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
medium | CVE-2024-7272: 1 source package rows (ffmpeg); 10 state rows across 1 repos (edge-community); fixed 0, open 10. | https://security.alpinelinux.org/vuln/CVE-2024-7272 |
debian
|
unimportant | CVE-2024-7272 unimportant priority: Debian including 1 source packages (ffmpeg), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2024-7272 |
suse
|
high | CVE-2024-7272 severity important: SUSE including 84 source package names (ffmpeg, ffmpeg-4, …), 436 product×package rows across 21 product lines (SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS, … (21 product lines)): Known Not Affected 410, Fixed 26. | https://www.suse.com/security/cve/CVE-2024-7272/ |
ubuntu
|
medium | CVE-2024-7272 medium priority: Ubuntu including 2 source packages (ffmpeg, libav), 13 status rows across 8 suites (bionic, focal, jammy, noble, oracular, trusty, upstream, xenial): not-affected 7, DNE 4, needs-triage 2. | https://ubuntu.com/security/CVE-2024-7272 |
| URL | Tags |
|---|---|
| https://ffmpeg.org/ | Product |
| https://github.com/CookedMelon/ReportCVE/tree/main/FFmpeg/poc5 | Exploit |
| https://github.com/CookedMelon/ReportCVE/tree/main/FFmpeg/poc6 | Not Applicable |
| https://vuldb.com/?ctiid.273945 | Permissions Required VDB Entry |
| https://vuldb.com/?id.273945 | Permissions Required VDB Entry |