Aggregates CVE and security vulnerability intelligence across all FFmpeg-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk buffer overflow and vendor risk memory corruption and related problems; some flaws may lead to vendor impact unexpected behavior, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-35365 | FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function. | [email protected] | 8.8 | 0.65% | 2025-01-03 | 2026-06-17 |
| CVE-2023-6603 | A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization. | [email protected] | 7.5 | 0.53% | 2024-12-31 | 2026-06-17 |
| CVE-2023-6602 | A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists. | [email protected] | 5.3 | 0.41% | 2024-12-31 | 2026-06-17 |
| CVE-2024-35368 | FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c. | [email protected] | 9.8 | 0.69% | 2024-11-29 | 2026-06-17 |
| CVE-2024-35367 | FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer | [email protected] | 9.1 | 0.65% | 2024-11-29 | 2026-06-17 |
| CVE-2024-35366 | FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking. | [email protected] | 9.1 | 0.60% | 2024-11-29 | 2026-06-17 |
| CVE-2024-36616 | An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file. | [email protected] | 6.5 | 0.56% | 2024-11-29 | 2026-06-17 |
| CVE-2024-36615 | FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread. | [email protected] | 5.9 | 0.43% | 2024-11-29 | 2026-06-17 |
| CVE-2024-36618 | FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition. | [email protected] | 6.2 | 0.24% | 2024-11-29 | 2026-06-17 |
| CVE-2024-36617 | FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder. | [email protected] | 6.2 | 0.23% | 2024-11-29 | 2026-06-17 |
| CVE-2024-36619 | FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition. | [email protected] | 5.3 | 0.65% | 2024-11-29 | 2026-06-17 |
| CVE-2024-35369 | In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. | [email protected] | 5.5 | 0.23% | 2024-11-29 | 2026-06-17 |
| CVE-2024-7272 | A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5. This affects the function fill_audiodata of the file /libswresample/swresample.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. This issue was fixed in version 6.0 by 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 but a backport for 5.1 was forgotten. The exploit has been disclosed to the public and may be used. Upgrading to version 5.1.6 and 6.0 9903ba28c28ab18dc | [email protected] | 6.9 | 1.13% | 2024-08-12 | 2026-06-17 |
| CVE-2024-7055 | A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-27365 | [email protected] | 6.9 | 1.08% | 2024-08-06 | 2026-06-17 |
| CVE-2024-32230 | FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0 | [email protected] | 7.8 | 0.35% | 2024-07-01 | 2026-06-17 |
| CVE-2024-32229 | FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_tiltandshift.c:189:5 in copy_column. | [email protected] | 8.4 | 0.27% | 2024-07-01 | 2026-06-17 |
| CVE-2024-32228 | FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end. | [email protected] | 6.6 | 0.25% | 2024-07-01 | 2026-06-17 |
| CVE-2023-51794 | Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/af_stereowiden.c:120:69. | [email protected] | 7.8 | 0.22% | 2024-04-26 | 2026-06-17 |
| CVE-2023-51798 | Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate. | [email protected] | 7.8 | 0.32% | 2024-04-19 | 2026-06-17 |
| CVE-2023-51797 | Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/avf_showwaves.c:722:24 in showwaves_filter_frame | [email protected] | 6.7 | 0.42% | 2024-04-19 | 2026-06-17 |