Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 29 March 2023

libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).


As of 2023-04-26 there is no public reproducer available for this issue,
so there is no way to confirm through vulnerability testing that Xenial
and Bionic are vulnerable to this issue.

Xenial's version of FFmpeg is 2.8. Upstream has only provided patches
for versions 4.4.x, 5.0.x and 5.1.x. Considering that the code for
pthread_frame.c (file altered by the patch) and for FFmpeg has changed
significantly from version 2.8 to version 4.4.3, applying the 4.4.3
patch is very likely to introduce security issues and regressions.
Because of the very intrusive nature of the backport, Xenial and Bionic
(at version 3.4) will not be patched for this issue, and will therefore
be marked as ignored.



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needed)
trusty Ignored
(end of standard support)
Released (7:5.1.2-1, 5.1.2, 5.0.1, 4.4.3)
xenial Ignored
(see notes)
lunar Not vulnerable
mantic Not vulnerable
Released (7:3.4.11-0ubuntu0.1+esm3)
Available with Ubuntu Pro
Released (7:4.2.7-0ubuntu0.1+esm3)
Available with Ubuntu Pro
Released (7:4.4.2-0ubuntu0.22.04.1+esm2)
Available with Ubuntu Pro
upstream: (4.4.x)
upstream: (5.0.x)
upstream: (5.1.x)
upstream: (n6.1-dev)

Severity score breakdown

Parameter Value
Base score 8.1
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H