{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-59729", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2025-09-19T08:11:37.549Z", "datePublished": "2025-10-06T08:08:46.060Z", "dateUpdated": "2025-10-06T16:28:37.534Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://git.ffmpeg.org/ffmpeg.git", "defaultStatus": "unaffected", "modules": ["get_duration"], "packageName": "DHAV", "product": "FFmpeg", "repo": "https://git.ffmpeg.org/ffmpeg.git", "vendor": "FFmpeg", "versions": [{"lessThan": "8.0", "status": "affected", "version": "a218cafe4d3be005ab0c61130f90db4d21afb5db", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Google Big Sleep"}], "datePublic": "2025-07-21T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p>When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.</p><p>If we load a DHAV file that is larger than <code>MAX_DURATION_BUFFER_SIZE</code>&nbsp;bytes (<code>0x100000</code>) for example 0x101000 bytes, then at [0] we have <code>size = 0x101000</code>. At [1] we have <code>end_buffer_size = 0x100000</code>, and at [2] we have <code>end_buffer_pos = 0x1000</code>.</p><p>The loop then scans backwards through the buffer looking for the <code>dhav</code>&nbsp;tag; when it is found, we'll calculate <code>end_pos</code>&nbsp;based on a 32-bit offset read from the buffer.</p><p>There is subsequently a check [3] that <code>end_pos</code>&nbsp;is within the section of the file that has been copied into <code>end_buffer</code>, but it only correctly handles the cases where <code>end_pos</code>&nbsp;is <em>before the start of the file</em>&nbsp;or <em>after the section copied into <code>end_buffer</code></em>, and not the case where <code>end_pos</code>&nbsp;is within the the file, but before the section copied into <code>end_buffer</code>. If we provide such an offset, <code>(end_pos - end_buffer_pos)</code>&nbsp;can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.</p>We recommend upgrading to version 8.0 or beyond.<p></p><br>"}], "value": "When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.\n\nIf we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE\u00a0bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.\n\nThe loop then scans backwards through the buffer looking for the dhav\u00a0tag; when it is found, we'll calculate end_pos\u00a0based on a 32-bit offset read from the buffer.\n\nThere is subsequently a check [3] that end_pos\u00a0is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos\u00a0is before the start of the file\u00a0or after the section copied into end_buffer, and not the case where end_pos\u00a0is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos)\u00a0can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.\n\nWe recommend upgrading to version 8.0 or beyond."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 5.7, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2025-10-06T08:08:46.060Z"}, "references": [{"url": "https://issuetracker.google.com/433513232"}], "source": {"discovery": "EXTERNAL"}, "title": "Heap-buffer-overflow read in FFmpeg DHAV get_duration", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-06T16:25:07.013593Z", "id": "CVE-2025-59729", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T16:28:37.534Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59729", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-06T16:25:07.013593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-06T16:28:32.542Z"}}], "cna": {"title": "Heap-buffer-overflow read in FFmpeg DHAV get_duration", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Google Big Sleep"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.ffmpeg.org/ffmpeg.git", "vendor": "FFmpeg", "modules": ["get_duration"], "product": "FFmpeg", "versions": [{"status": "affected", "version": "a218cafe4d3be005ab0c61130f90db4d21afb5db", "lessThan": "8.0", "versionType": "custom"}], "packageName": "DHAV", "collectionURL": "https://git.ffmpeg.org/ffmpeg.git", "defaultStatus": "unaffected"}], "datePublic": "2025-07-21T22:00:00.000Z", "references": [{"url": "https://issuetracker.google.com/433513232"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.\n\nIf we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE\u00a0bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.\n\nThe loop then scans backwards through the buffer looking for the dhav\u00a0tag; when it is found, we'll calculate end_pos\u00a0based on a 32-bit offset read from the buffer.\n\nThere is subsequently a check [3] that end_pos\u00a0is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos\u00a0is before the start of the file\u00a0or after the section copied into end_buffer, and not the case where end_pos\u00a0is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos)\u00a0can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.\n\nWe recommend upgrading to version 8.0 or beyond.", "supportingMedia": [{"type": "text/html", "value": "<p></p><p>When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.</p><p>If we load a DHAV file that is larger than <code>MAX_DURATION_BUFFER_SIZE</code>&nbsp;bytes (<code>0x100000</code>) for example 0x101000 bytes, then at [0] we have <code>size = 0x101000</code>. At [1] we have <code>end_buffer_size = 0x100000</code>, and at [2] we have <code>end_buffer_pos = 0x1000</code>.</p><p>The loop then scans backwards through the buffer looking for the <code>dhav</code>&nbsp;tag; when it is found, we'll calculate <code>end_pos</code>&nbsp;based on a 32-bit offset read from the buffer.</p><p>There is subsequently a check [3] that <code>end_pos</code>&nbsp;is within the section of the file that has been copied into <code>end_buffer</code>, but it only correctly handles the cases where <code>end_pos</code>&nbsp;is <em>before the start of the file</em>&nbsp;or <em>after the section copied into <code>end_buffer</code></em>, and not the case where <code>end_pos</code>&nbsp;is within the the file, but before the section copied into <code>end_buffer</code>. If we provide such an offset, <code>(end_pos - end_buffer_pos)</code>&nbsp;can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.</p>We recommend upgrading to version 8.0 or beyond.<p></p><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2025-10-06T08:08:46.060Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59729", "state": "PUBLISHED", "dateUpdated": "2025-10-06T16:28:37.534Z", "dateReserved": "2025-09-19T08:11:37.549Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2025-10-06T08:08:46.060Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.\n\nIf we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE\u00a0bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.\n\nThe loop then scans backwards through the buffer looking for the dhav\u00a0tag; when it is found, we'll calculate end_pos\u00a0based on a 32-bit offset read from the buffer.\n\nThere is subsequently a check [3] that end_pos\u00a0is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos\u00a0is before the start of the file\u00a0or after the section copied into end_buffer, and not the case where end_pos\u00a0is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos)\u00a0can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.\n\nWe recommend upgrading to version 8.0 or beyond."}], "id": "CVE-2025-59729", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2025-10-06T08:15:34.447", "references": [{"source": "cve-coordination@google.com", "url": "https://issuetracker.google.com/433513232"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "FFmpeg: FFmpeg: Integer underflow in DHAV file header parsing leads to out-of-bounds read", "id": "2401798", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2401798"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.\nIf we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE\u00a0bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.\nThe loop then scans backwards through the buffer looking for the dhav\u00a0tag; when it is found, we'll calculate end_pos\u00a0based on a 32-bit offset read from the buffer.\nThere is subsequently a check [3] that end_pos\u00a0is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos\u00a0is before the start of the file\u00a0or after the section copied into end_buffer, and not the case where end_pos\u00a0is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos)\u00a0can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.\nWe recommend upgrading to version 8.0 or beyond.", "A flaw was found in FFmpeg. This vulnerability allows an out-of-bounds read via an integer underflow in the offset calculation when parsing the header for a Digital Home Audio/Video (DHAV) file."], "name": "CVE-2025-59729", "public_date": "2025-10-06T08:08:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59729\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59729\nhttps://issuetracker.google.com/433513232"], "statement": "The vulnerability in FFmpeg, an integer underflow leading to an out-of-bounds read during DHAV file header parsing, primarily impacts the availability of systems processing untrusted DHAV media files. Red Hat rates this as Moderate due to the potential for denial of service when processing specially crafted input.", "threat_severity": "Moderate"}

{"created": "2025-10-06T14:39:55.814957+00:00", "updated": "2025-10-06T14:39:55.815012+00:00", "vendors": ["ffmpeg", "ffmpeg$PRODUCT$ffmpeg"]}