Description
An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

An improper deallocation of system resources in the FFmpeg zmqsend command causes a denial of service when the tool processes a maliciously crafted input file. The flaw leads to resource exhaustion, reflected in CWE‑400 and CWE‑772, and can make the host system unstable or crash when the tool is invoked.

Affected Systems

The vulnerability exists in the tools/zmqsend.c component of FFmpeg version 8.0.1, and only that specific release is listed as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate to high impact, and the vulnerability is not yet indexed as a known exploited variant in the KEV catalog. Exploitation requires that an attacker can run zmqsend with a crafted input; therefore the attack vector is most likely local or associated with a privileged service that uses the tool. If zmqsend is executed by a non‑privileged process, the DoS impact would be limited to that process, but if run as root or a daemon the system could become inoperable.

Generated by OpenCVE AI on April 14, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that your FFmpeg installation is newer than 8.0.1 and upgrade to the latest release that addresses the zmqsend issue.
  • If an upgrade cannot be performed immediately, restrict or remove the zmqsend utility from critical or production systems and block access to crafted input files.
  • Run any remaining instances of zmqsend under the least privilege user account to reduce potential impact.
  • Maintain monitoring of system resources and logs for sudden spikes in CPU or memory usage that may signal an attempted denial‑of‑service attack.

Generated by OpenCVE AI on April 14, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ffmpeg
Ffmpeg ffmpeg
Vendors & Products Ffmpeg
Ffmpeg ffmpeg

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title FFmpeg: FFmpeg: Denial of Service vulnerability in zmqsend.c via crafted input
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.
References

Subscriptions

Ffmpeg Ffmpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T19:10:25.039Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-30998

cve-icon Vulnrichment

Updated: 2026-04-13T19:09:44.121Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T15:17:32.697

Modified: 2026-04-23T20:11:49.533

Link: CVE-2026-30998

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-30998 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:47Z

Weaknesses