Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000

7.2 / 10

HIGH

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Description

A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.

Basic Information

ID CVE-2025-9951

Source Google

Published Sep 9, 2025 at 13:54

Modified Sep 9, 2025 at 14:20

Affected Product

Vendor FFmpeg

Product FFmpeg

Version < 8.0

Affected Versions FFmpeg FFmpeg < 8.0

CWE Classification

CWE-122

References

github.com /google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg

{
    "lastseen": "",
    "description": "A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.",
    "published": "2025-09-09T13:54:08.497Z",
    "modified": "2025-09-09T14:20:40.876Z",
    "type": "cve",
    "title": "Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000",
    "source": "Google",
    "references": "https://github.com/google/security-research/security/advisories/GHSA-39q3-f8jq-v6mg",
    "id": "CVE-2025-9951",
    "bulletinFamily": "",
    "cwe": [
        "CWE-122"
    ],
    "cvelist": null,
    "sourceData": "FFmpeg FFmpeg < 8.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FFmpeg",
    "version": "< 8.0",
    "vendor": "FFmpeg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Remote code execution via Heap Buffer Overflow in FFmpeg JPEG2000_CVE-2025-9951