[USN-7830-1] FFmpeg vulnerabilities

Tue, 21 Oct 2025 10:15:59 -0700 

==========================================================================
Ubuntu Security Notice USN-7830-1
October 21, 2025

ffmpeg vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in FFmpeg.

Software Description:
- ffmpeg: Tools for transcoding, streaming and playing of multimedia files

Details:

It was discovered that FFmpeg incorrectly handled the return values of
functions in its Firequalizer filter and in the HTTP Live Streaming (HLS)
implementation, leading to a NULL pointer dereference. If a user was 
tricked into loading a crafted media file, a remote attacker could 
possibly use this issue to make FFmpeg crash, resulting in a denial
of service. (CVE-2023-6603, CVE-2025-10256)

It was discovered that FFmpeg did not enforce an input format before
triggering the HTTP demuxer. A remote attacker could possibly use this
issue to perform a Server-Side Request Forgery (SSRF) attack.
(CVE-2025-6605)

It was discovered that FFmpeg incorrectly handled memory allocation in the
ALS audio decoder. If a user was tricked into loading a crafted media file,
a remote attacker could possibly use this issue to make FFmpeg crash,
resulting in a denial of service. (CVE-2025-7700)

It was discovered that FFmpeg incorrectly handled memory in the JPEG 2000
decoder, which could lead to a heap buffer overflow. If a user or 
application were tricked into opening a specially crafted file, an 
attacker could possibly use this issue to cause a denial of service 
or leak sensitive information. (CVE-2025-9951)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  ffmpeg                          7:6.1.1-3ubuntu5+esm6
                                  Available with Ubuntu Pro
  libavcodec60                    7:6.1.1-3ubuntu5+esm6
                                  Available with Ubuntu Pro
  libavformat60                   7:6.1.1-3ubuntu5+esm6
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  ffmpeg                          7:4.4.2-0ubuntu0.22.04.1+esm10
                                  Available with Ubuntu Pro
  libavcodec58                    7:4.4.2-0ubuntu0.22.04.1+esm10
                                  Available with Ubuntu Pro
  libavformat58                   7:4.4.2-0ubuntu0.22.04.1+esm10
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  ffmpeg                          7:4.2.7-0ubuntu0.1+esm11
                                  Available with Ubuntu Pro
  libavcodec58                    7:4.2.7-0ubuntu0.1+esm11
                                  Available with Ubuntu Pro
  libavformat58                   7:4.2.7-0ubuntu0.1+esm11
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  ffmpeg                          7:3.4.11-0ubuntu0.1+esm11
                                  Available with Ubuntu Pro
  libavcodec57                    7:3.4.11-0ubuntu0.1+esm11
                                  Available with Ubuntu Pro
  libavformat57                   7:3.4.11-0ubuntu0.1+esm11
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7830-1
  CVE-2023-6603, CVE-2023-6605, CVE-2025-10256, CVE-2025-7700,
  CVE-2025-9951

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to