A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

No data.

No data.

No data.

References
Link Providers
https://ffmpeg.org/ cve-icon cve-icon
https://trac.ffmpeg.org/attachment/ticket/11418/poc cve-icon cve-icon
https://trac.ffmpeg.org/ticket/11418#comment:3 cve-icon cve-icon
https://vuldb.com/?ctiid.296589 cve-icon cve-icon
https://vuldb.com/?id.296589 cve-icon cve-icon
https://vuldb.com/?submit.496929 cve-icon cve-icon
History

Mon, 24 Feb 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 23 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Description A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Title FFmpeg AAC Encoder aacenc_tns.c ff_aac_search_for_tns stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-02-23T21:00:13.152Z

Updated: 2025-02-24T12:03:02.141Z

Reserved: 2025-02-22T22:10:24.824Z

Link: CVE-2025-1594

cve-icon Vulnrichment

Updated: 2025-02-24T12:02:55.812Z

cve-icon NVD

Status : Received

Published: 2025-02-23T21:15:09.130

Modified: 2025-02-23T21:15:09.130

Link: CVE-2025-1594

cve-icon Redhat

No data.