CVE-2020-13904

MEDIUM

FFmpeg 2.8 and 4.2.3 - Use-After-Free via Crafted EXTINF Duration in m3u8 File

Title source: llm

Description

FFmpeg 2.8 and 4.2.3 has a use-after-free via a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in libavformat/format.c.

References (7)

Core 7

Core References

Exploit, Issue Tracking, Vendor Advisory x_refsource_misc

https://trac.ffmpeg.org/ticket/8673

Various Sources x_refsource_misc

https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200529033905.41926-1-lq%40chinaffmpeg.org/

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2020/dsa-4722

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/07/msg00022.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4431-1/

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202007-58

Patch, Third Party Advisory x_refsource_misc

https://github.com/FFmpeg/FFmpeg/commit/6959358683c7533f586c07a766acc5fe9544d8b2

View Patch ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0047

EPSS Percentile 65.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-416

Status published

Products (7)

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 20.04

debian/debian_linux 9.0

debian/debian_linux 10.0

ffmpeg/ffmpeg 2.8

ffmpeg/ffmpeg 4.2.3

Published Jun 07, 2020

Tracked Since Feb 18, 2026