CVE-2020-20892 – A division by zero vulnerability in FFmpeg's le... (How to Fix)

Q: What is the severity of CVE-2020-20892?

CVE-2020-20892 has a CVSS score of 8.8 (HIGH). A division by zero vulnerability in FFmpeg's lens correction filter allows attackers to cause denial of service or potentially execute arbitrary code by processing specially crafted video files. This affects systems running FFmpeg 4.2.1 that use the lens correction filter. Media processing servers, video editing software, and applications embedding FFmpeg are at risk.

📋 TL;DR

A division by zero vulnerability in FFmpeg's lens correction filter allows attackers to cause denial of service or potentially execute arbitrary code by processing specially crafted video files. This affects systems running FFmpeg 4.2.1 that use the lens correction filter. Media processing servers, video editing software, and applications embedding FFmpeg are at risk.

💻 Affected Systems

Products:

FFmpeg

Versions: FFmpeg 4.2.1 specifically; potentially other versions with similar code.

Operating Systems: All platforms running FFmpeg (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using the lens correction filter (vf_lenscorrection). Many FFmpeg installations may not use this filter by default.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the division by zero triggers memory corruption that can be weaponized.

🟠

Likely Case

Denial of service causing FFmpeg process crashes when processing malicious video files, disrupting media processing services.

🟢

If Mitigated

Process isolation limits impact to the FFmpeg instance; proper input validation prevents exploitation.

🌐 Internet-Facing: MEDIUM - Exploitation requires processing attacker-controlled media files, which is common for internet-facing media servers.

🏢 Internal Only: LOW - Internal systems typically process trusted media; risk exists only if processing untrusted content.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting a malicious video file that triggers the division by zero when processed with lens correction filter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in FFmpeg commit 19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01 and later versions

Vendor Advisory: https://trac.ffmpeg.org/ticket/8265

Restart Required: Yes

Instructions:

1. Update FFmpeg to version 4.2.2 or later. 2. Rebuild from source with the fix commit. 3. Restart all services using FFmpeg.

🔧 Temporary Workarounds

Disable lens correction filter

all

Prevent use of the vulnerable vf_lenscorrection filter in FFmpeg commands

Avoid using '-vf lenscorrection' in FFmpeg commands

Input validation

all

Validate all input media files before processing with FFmpeg

Implement file type validation and sanitization before FFmpeg processing

🧯 If You Can't Patch

Isolate FFmpeg processes in containers or sandboxes to limit blast radius
Implement strict access controls to prevent untrusted users from submitting media for processing

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version: ffmpeg -version | grep 'version' and verify if it's 4.2.1. Also check if lenscorrection filter is available: ffmpeg -filters | grep lenscorrection

Check Version:

ffmpeg -version | head -1

Verify Fix Applied:

Verify FFmpeg version is 4.2.2 or later, or check git commit contains 19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01

📡 Detection & Monitoring

Log Indicators:

FFmpeg process crashes with segmentation fault
Error logs containing 'division by zero' or lenscorrection filter errors

Network Indicators:

Unusual media file uploads to processing endpoints
Repeated failed media processing requests

SIEM Query:

process.name:ffmpeg AND (event.action:crash OR log.message:"*division by zero*")

📊 Metadata

CVE ID: CVE-2020-20892

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-369

Published: September 20, 2021

Last Updated: November 21, 2024

🔗 References

http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01
https://trac.ffmpeg.org/ticket/8265 Exploit,Issue Tracking,Vendor Advisory
http://git.videolan.org/?p=ffmpeg.git%3Ba=commit%3Bh=19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01
https://trac.ffmpeg.org/ticket/8265 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-20892, you might also want to check these: