CVE-2024-36615

MEDIUM

FFmpeg n7.0 - Data Race

Title source: llm

Description

FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.

References (3)

Core 3

Core References

Third Party Advisory

https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb

Product

https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738

View Writeup ZIP pw:eip

Patch

https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61

View Patch ZIP pw:eip

Scores

CVSS v3 5.9

EPSS 0.0009

EPSS Percentile 25.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (1)

ffmpeg/ffmpeg 7.0

Published Nov 29, 2024

Tracked Since Feb 18, 2026