CVE-2017-9608

MEDIUM

FFmpeg < 3.2.6 - Denial of Service via Crafted MOV File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9608. PoCs published by LaCinquette.

AI-analyzed exploit summary This repository provides a detailed analysis and proof-of-concept for CVE-2017-9608, a null pointer dereference vulnerability in FFmpeg. It includes a Docker setup to build and test the vulnerable version of FFmpeg, along with an explanation of the vulnerability and its exploitation.

Description

The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file.

Exploits (1)

nomisec WRITEUP
by LaCinquette · poc
https://github.com/LaCinquette/practice-22-23

This repository provides a detailed analysis and proof-of-concept for CVE-2017-9608, a null pointer dereference vulnerability in FFmpeg. It includes a Docker setup to build and test the vulnerable version of FFmpeg, along with an explanation of the vulnerability and its exploitation.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: FFmpeg (versions prior to the fix commit)
No auth needed
Prerequisites: Docker · FFmpeg source code with the vulnerability
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100348
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-3957
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/08/15/8
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/08/14/1

Scores

CVSS v3 6.5
EPSS 0.0454
EPSS Percentile 90.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (1)
ffmpeg/ffmpeg < 3.2.6
Published Dec 27, 2017
Tracked Since Feb 18, 2026