Description
An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update FFmpeg
AI Analysis

Impact

An out‑of‑bounds read in FFmpeg’s AV1 decoder (read_global_param() in libavcodec/av1dec.c) allows an attacker to craft a malicious input that causes the decoder to read memory beyond the intended bounds and crash. The flaw produces a denial of service; it does not enable arbitrary code execution or data disclosure. It falls under CWE‑125 (Out‑of‑bounds Read) and CWE‑1285 (Improper Handling of External Input). The likely attack vector is the delivery of a specially crafted AV1 stream to any application that decodes such media with FFmpeg 8.0.1.

Affected Systems

This vulnerability affects FFmpeg version 8.0.1, the implementation of the AV1 decoder in libavcodec/av1dec.c. No vendor or product names are listed in the CNA data, so users of any application that relies on FFmpeg 8.0.1 for AV1 decoding are potentially impacted. Versions prior to 8.0.1 and later releases have not been confirmed to be affected.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity and suggests that remote exploitation is possible through the controlled delivery of malicious input. No EPSS value is available and the flaw is not included in CISA’s KEV catalog, implying no widely reported exploitation to date. An attacker would need to supply the crafted AV1 file to the decoder, which can be achieved by transmitting the file over a network or embedding it in media that the application processes. Because the issue triggers a crash instead of arbitrary code execution, the damage is limited to service disruption rather than broader compromise.

Generated by OpenCVE AI on April 14, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FFmpeg to a patched version (e.g., 8.0.2 or later).
  • Verify that the installed FFmpeg binary matches the official release and has not been tampered with.
  • If a patch is not yet available, validate or sanitize AV1 input before decoding and consider disabling AV1 decoding for untrusted sources.

Generated by OpenCVE AI on April 14, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ffmpeg
Ffmpeg ffmpeg
Vendors & Products Ffmpeg
Ffmpeg ffmpeg

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title FFmpeg: FFmpeg: Denial of Service via out-of-bounds read
Weaknesses CWE-1285
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
References

Subscriptions

Ffmpeg Ffmpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T19:06:31.700Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-30997

cve-icon Vulnrichment

Updated: 2026-04-13T19:06:18.598Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T15:17:32.570

Modified: 2026-04-23T20:12:35.007

Link: CVE-2026-30997

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-30997 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:48Z

Weaknesses