Primary

Context

FFmpeg Out-of-Bounds Read Vulnerability in RV60 Video Decoder

Vulnerability

Patched

A vulnerability allowing out-of-bounds read has been identified in the FFmpeg RV60 video decoder, specifically in versions 8.0 and 8.0.1. The issue arises from insufficient validation of the quantization parameter (qp) in the decoder. While the lower bound is checked, the upper bound validation is missing, allowing qp values to exceed the valid range and access memory out of bounds. This flaw could lead to memory disclosure or a crash.

Impact

Exploitation of this vulnerability can cause an out-of-bounds read, potentially leading to memory disclosure or a crash.

Remediation

Users can upgrade to FFmpeg version 8.1, where this vulnerability has been fixed.

Added: Mar 16, 2026, 9:13 PM

Updated: Mar 16, 2026, 9:13 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

3.1

exploitability

5.1

remediation

7.7

relevance

4.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

3.1

exploitability

5.1

remediation

7.7

relevance

4.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FFmpeg Out-of-Bounds Read Vulnerability in RV60 Video Decoder

Vulnerability

Impact

Remediation

Affected Products

FFmpeg

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating