CVE-2022-48434
Published: 29 March 2023
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).
Notes
| Author | Note |
|---|---|
| ccdm94 | As of 2023-04-26 there is no public reproducer available for this issue, so there is no way to confirm through vulnerability testing that Xenial and Bionic are vulnerable to this issue. Xenial's version of FFmpeg is 2.8. Upstream has only provided patches for versions 4.4.x, 5.0.x and 5.1.x. Considering that the code for pthread_frame.c (file altered by the patch) and for FFmpeg has changed significantly from version 2.8 to version 4.4.3, applying the 4.4.3 patch is very likely to introduce security issues and regressions. Because of the very intrusive nature of the backport, Xenial and Bionic (at version 3.4) will not be patched for this issue, and will therefore be marked as ignored. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ffmpeg Launchpad, Ubuntu, Debian |
trusty |
Ignored
(end of standard support)
|
| xenial |
Ignored
(see notes)
|
|
| bionic |
Ignored
(see notes)
|
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| upstream |
Released
(7:5.1.2-1, 5.1.2, 5.0.1, 4.4.3)
|
|
| lunar |
Not vulnerable
(7:5.1.2-3ubuntu1)
|
|
|
Patches: upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db (4.4.x) upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba (5.0.x) upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda (5.1.x) upstream: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 (n6.1-dev) |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48434
- https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11 (n6.1-dev)
- https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda (n5.1.2)
- https://wrv.github.io/h26forge.pdf
- https://news.ycombinator.com/item?id=35356201
- NVD
- Launchpad
- Debian