Description
A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

The vulnerability is a heap buffer overflow in av_bprint_finalize() within FFmpeg 8.0.1, caused by improperly handled input that leads to memory corruption. An attacker can supply a crafted media or command string to trigger the overflow, resulting in an application crash and denial of service. The flaw is a classic buffer overflow (CWE-122, CWE-787), allowing loss of application availability but not immediate confidentiality or integrity compromise.

Affected Systems

This vulnerability affects the FFmpeg open‑source multimedia framework, specifically version 8.0.1. The affected component is the av_bprint_finalize() function used during packet processing. All deployments using FFmpeg 8.0.1 or earlier unreleased builds that include the same code path are at risk. No other vendors or products are listed, but any system that executes FFmpeg to process media input should assess if version 8.0.1 is in use.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. No EPSS score is available, which makes precise exploitation probability uncertain, but lack of presence in KEV suggests no known active exploits yet. Based on the description, the likely attack vector is local or via malicious input provided to FFmpeg – for example, through a user‑controlled media file. If attackers can influence FFmpeg's input stream, they can trigger the overflow, causing a service interruption.

Generated by OpenCVE AI on April 14, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FFmpeg to the latest stable release that resolves the heap buffer overflow in av_bprint_finalize().
  • If immediate upgrade is not possible, verify that the FFmpeg binary comes from a trusted source and includes integrity verification, such as checksums or signatures.
  • Restrict the use of FFmpeg to trusted media sources, and validate or sanitize all input before passing it to the binary.
  • Monitor application logs for abnormal crashes or segmentation faults that may indicate exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ffmpeg
Ffmpeg ffmpeg
Vendors & Products Ffmpeg
Ffmpeg ffmpeg

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title FFmpeg: FFmpeg: Denial of Service via heap buffer overflow in av_bprint_finalize()
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
References

Subscriptions

Ffmpeg Ffmpeg
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-13T19:11:38.554Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-30999

cve-icon Vulnrichment

Updated: 2026-04-13T19:11:34.357Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T15:17:32.827

Modified: 2026-04-23T20:10:36.647

Link: CVE-2026-30999

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T00:00:00Z

Links: CVE-2026-30999 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:46Z

Weaknesses