CVE-2026-6385
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-190: Integer Overflow or Wraparound
Workarounds
To mitigate this issue, avoid processing untrusted MPEG-PS/VOB media files with FFmpeg. If FFmpeg is used in automated media processing services, implement strict input validation and isolation to prevent the ingestion of malicious files from untrusted sources. For end-user applications, refrain from opening or playing untrusted media files.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2026-6385
- https://bugzilla.redhat.com/show_bug.cgi?id=2458764
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.