Description
The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via vectors related to LJIF tags in an MJPEG file.
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201603-06
Various Sources x_refsource_confirm
https://www.ffmpeg.org/security.html
Patch x_refsource_confirm
http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=0eecf40935b22644e6cd74c586057237ecfd6844
Scores
EPSS
0.0052
EPSS Percentile
67.0%
Details
CWE
CWE-119
Status
published
Products (12)
ffmpeg/ffmpeg
2.2
ffmpeg/ffmpeg
2.2.4
ffmpeg/ffmpeg
2.3
ffmpeg/ffmpeg
2.3.2
ffmpeg/ffmpeg
2.3.3
ffmpeg/ffmpeg
2.3.4
ffmpeg/ffmpeg
2.3.5
ffmpeg/ffmpeg
2.4
ffmpeg/ffmpeg
2.4.1
ffmpeg/ffmpeg
2.4.2
... and 2 more
Published
Dec 09, 2014
Tracked Since
Feb 18, 2026