CVE-2017-11399
HIGHFFmpeg 2.4-3.3.2 - Out-of-bounds Read via Crafted APE File
Title source: llmDescription
Integer overflow in the ape_decode_frame function in libavcodec/apedec.c in FFmpeg 2.4 through 3.3.2 allows remote attackers to cause a denial of service (out-of-array access and application crash) or possibly have unspecified other impact via a crafted APE file.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100019
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3957
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0
Patch x_refsource_misc
https://github.com/FFmpeg/FFmpeg/commit/96349da5ec8eda9f0368446e557fe0c8ba0e66b7
Scores
CVSS v3
7.8
EPSS
0.0161
EPSS Percentile
72.7%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-125
Status
published
Products (1)
ffmpeg/ffmpeg
< 3.3.2
Published
Jul 17, 2017
Tracked Since
Feb 18, 2026