Description
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.
Published: 2026-03-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory disclosure or crash via out-of-bounds read
Action: Patch Now
AI Analysis

Impact

The vulnerability occurs in FFmpeg version 8.0 and 8.0.1 when decoding RV60 video streams. During decoding, the quantization parameter (qp) validation only checks for values less than zero but does not enforce the upper bound. A malicious encoder can produce a qp of up to 65, which exceeds the rv60_qp_to_idx array size of 64. The resulting out-of-bounds array accesses in decode_cbp8, decode_cbp16, and get_c4x4_set functions lead to memory disclosure or a crash. This weakness corresponds to CWE‑125 (Out‑of‑Bounds Read).

Affected Systems

Affected systems are installations of FFmpeg version 8.0.0 (released 2025‑08‑22) and 8.0.1 (released 2025‑11‑20) that use the RV60 decoder. The vulnerability is tracked by CPE identifiers cpe:2.3:a:ffmpeg:ffmpeg:8.0:* and cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:*. Any environment that processes RV60 video frames with these FFmpeg releases is impacted.

Risk and Exploitability

The CVSS base score is 5.4, indicating a moderate risk. EPSS is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that a malicious RV60 video file can trigger the flaw, causing either a crash or memory disclosure; this attack would be local to the process that decodes the file, but could also lead to denial of service if the user or application is not protected. No remote code execution is indicated. The mitigation is to upgrade to FFmpeg 8.1 or later where the issue is fixed.

Generated by OpenCVE AI on March 19, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FFmpeg to version 8.1 or later to apply the fix.
  • Apply the master commit 8abeb879df to your FFmpeg source before compiling if an upgrade is not possible.
  • Avoid decoding RV60 video files with vulnerable FFmpeg versions 8.0 and 8.0.1.
  • Monitor FFmpeg releases for further security updates.

Generated by OpenCVE AI on March 19, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:*:*:*:*:*:*:*
cpe:2.3:a:ffmpeg:ffmpeg:8.0:*:*:*:*:*:*:*

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ffmpeg
Ffmpeg ffmpeg
Vendors & Products Ffmpeg
Ffmpeg ffmpeg

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title FFmpeg: out-of-bounds read in RV60 video decoder
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.
References

Subscriptions

Ffmpeg Ffmpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-16T20:04:20.747Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69693

cve-icon Vulnrichment

Updated: 2026-03-16T20:01:47.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:15.060

Modified: 2026-03-19T14:19:12.370

Link: CVE-2025-69693

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-16T00:00:00Z

Links: CVE-2025-69693 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:02Z

Weaknesses