CVE-2019-11338
HIGHFFmpeg 3.4 and 4.1.2 - Denial of Service via HEVC Duplicate First Slice Detection
Title source: llmDescription
libavcodec/hevcdec.c in FFmpeg 3.4 and 4.1.2 mishandles detection of duplicate first slices, which allows remote attackers to cause a denial of service (NULL pointer dereference and out-of-array access) or possibly have unspecified other impact via crafted HEVC data.
References (9)
Core 9
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/FFmpeg/FFmpeg/commit/54655623a82632e7624714d7b2a3e039dc5faa7e
Broken Link vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/108034
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3967-1/
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/May/60
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4449
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/05/msg00043.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00012.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4431-1/
Patch, Third Party Advisory x_refsource_misc
https://github.com/FFmpeg/FFmpeg/commit/9ccc633068c6fe76989f487c8932bd11886ad65b
Scores
CVSS v3
8.8
EPSS
0.0235
EPSS Percentile
81.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-476
Status
published
Products (10)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
18.10
canonical/ubuntu_linux
19.04
canonical/ubuntu_linux
20.04
debian/debian_linux
8.0
debian/debian_linux
9.0
ffmpeg/ffmpeg
3.4
ffmpeg/ffmpeg
4.1.2
novell/suse_package_hub_for_suse_linux_enterprise
12
Published
Apr 19, 2019
Tracked Since
Feb 18, 2026