FFmpeg libavcodec/hevcdec.c NULL Pointer Dereference Denial of Service Vulnerability [CVE-2019-11338]
CVE Number – CVE-2019-11338
A vulnerability in the libavcodec/hevcdex.c source code of FFmpeg could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability exists because the affected software incorrectly detects duplicate first slices in the libavacodec/hevcdec.c source file. An attacker could exploit this vulnerability by supplying a crafted High Efficiency Video Coding (HEVC) file to the affected system. A successful exploit could allow the attacker to trigger a NULL pointer dereference error that could result in a DoS condition or other unpsecified impacts on the targeted system.FFmpeg has confirmed this vulnerability and released a software patch.
Analysis
- To exploit this vulnerability, an attacker would need network access and the ability to supply the targeted system with a crafted HEVC file. These requirements could reduce the likelihood of a successful exploit.
Safeguards
- Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.
Vendor Announcements
- FFmpeg has posted a security issue at the following link: Duplicate First Slices
Fixed Software
- FFmpeg has posted a patch at the following link: Duplicate First Slices Patch
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.