CVE-2019-17542 – CVE-2019-17542 is a critical heap-based buffer ... (How to Fix)

Q: What is the severity of CVE-2019-17542?

CVE-2019-17542 has a CVSS score of 9.8 (CRITICAL). CVE-2019-17542 is a critical heap-based buffer overflow vulnerability in FFmpeg's VQA video decoder. Attackers can exploit this by crafting malicious video files to execute arbitrary code or crash applications. Any system using FFmpeg to process untrusted video content is affected.

📋 TL;DR

CVE-2019-17542 is a critical heap-based buffer overflow vulnerability in FFmpeg's VQA video decoder. Attackers can exploit this by crafting malicious video files to execute arbitrary code or crash applications. Any system using FFmpeg to process untrusted video content is affected.

💻 Affected Systems

Products:

FFmpeg
Any software using FFmpeg libraries

Versions: All versions before 4.2

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the VQA video codec decoder; systems must process VQA format video files to be exploitable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Application crashes leading to denial of service, with potential for limited code execution in memory-corrupted processes.

🟢

If Mitigated

Contained crashes without code execution if memory protections (ASLR, DEP) are effective, but still causing service disruption.

🌐 Internet-Facing: HIGH - FFmpeg is commonly used in web services for video processing, making internet-facing systems prime targets.

🏢 Internal Only: MEDIUM - Internal systems processing user-uploaded videos or media files remain vulnerable to insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exists in the OSS-Fuzz bug report; crafting malicious VQA files is straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FFmpeg 4.2 and later

Vendor Advisory: https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2

Restart Required: Yes

Instructions:

1. Update FFmpeg to version 4.2 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade ffmpeg). 3. For Windows: Download latest build from ffmpeg.org. 4. Restart all services using FFmpeg.

🔧 Temporary Workarounds

Disable VQA decoder

linux

Remove or disable VQA video format support in FFmpeg configuration

Recompile FFmpeg with --disable-decoder=vqavideo

Input validation

all

Block or scan VQA video files before processing

🧯 If You Can't Patch

Implement strict file upload controls to reject VQA video files
Run FFmpeg in sandboxed/containerized environments with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version: ffmpeg -version | grep 'version'

Check Version:

ffmpeg -version | head -1

Verify Fix Applied:

Confirm version is 4.2 or higher and test with known malicious VQA sample

📡 Detection & Monitoring

Log Indicators:

FFmpeg segmentation faults
Memory access violation errors
Unexpected process termination

Network Indicators:

Unusual outbound connections from media processing servers
Large VQA file uploads to processing endpoints

SIEM Query:

Process:ffmpeg AND (EventID:1000 OR Signal:SIGSEGV)

📊 Metadata

CVE ID: CVE-2019-17542

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 14, 2019

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15919 Issue Tracking,Third Party Advisory
https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00003.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00022.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-65 Third Party Advisory
https://usn.ubuntu.com/4431-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4722 Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15919 Issue Tracking,Third Party Advisory
https://github.com/FFmpeg/FFmpeg/commit/02f909dc24b1f05cfbba75077c7707b905e63cd2 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00003.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00022.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202003-65 Third Party Advisory
https://usn.ubuntu.com/4431-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4722 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17542, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Ffmpeg by Ffmpeg

Ffmpeg by Ffmpeg

Ffmpeg by Ffmpeg

Ffmpeg by Ffmpeg

Ffmpeg by Ffmpeg

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable VQA decoder

Input validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities