Your submission was sent successfully! Close

CVE-2021-38171

Published: 21 August 2021

adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
ffmpeg
Launchpad, Ubuntu, Debian
bionic
Released (7:3.4.11-0ubuntu0.1)
focal
Released (7:4.2.7-0ubuntu0.1)
hirsute Ignored
(reached end-of-life)
impish
Released (7:4.4.2-0ubuntu0.21.10.1)
jammy Not vulnerable
(7:4.4.1-3ubuntu2)
trusty Does not exist

upstream
Released (4.4.1)
xenial Ignored
(out of standard support, was needed)
Patches:
upstream: https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6