wid-sec-w-2026-0740 · Published 2026-03-16 · View on BSI CERT-Bund ↗

ffmpeg (RV60 video decoder): Vulnerability allows Denial of Service and die Offenlegung from Informationen

CVSS 5.4 MEDIUM

Risk Summary

Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.

CVEs (1)

CVE-2025-69693

Affected Vendors

Open Source

Affected Products (4)

Open Source · ffmpeg <8.1

Open Source · ffmpeg 8.1

Open Source · ffmpeg 8

Open Source · ffmpeg 8.0.1

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more