CVE-2020-20896 – A null pointer dereference vulnerability in FFm... (How to Fix)

Q: What is the severity of CVE-2020-20896?

CVE-2020-20896 has a CVSS score of 8.8 (HIGH). A null pointer dereference vulnerability in FFmpeg's latm_write_packet function allows attackers to cause denial of service or potentially execute arbitrary code by processing malicious media files. This affects systems using FFmpeg 4.2.1 for media processing, including video streaming services, media converters, and applications with embedded FFmpeg libraries.

📋 TL;DR

A null pointer dereference vulnerability in FFmpeg's latm_write_packet function allows attackers to cause denial of service or potentially execute arbitrary code by processing malicious media files. This affects systems using FFmpeg 4.2.1 for media processing, including video streaming services, media converters, and applications with embedded FFmpeg libraries.

💻 Affected Systems

Products:

FFmpeg

Versions: 4.2.1 specifically (commit prior to dd01947397b98e94c3f2a79d5820aaf4594f4d3b)

Operating Systems: All platforms running FFmpeg (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or service using the vulnerable FFmpeg library for processing LATM audio streams is affected.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the null pointer dereference can be leveraged for memory corruption attacks.

🟠

Likely Case

Denial of service causing FFmpeg processes to crash when processing specially crafted media files.

🟢

If Mitigated

Isolated process crash with no privilege escalation if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: HIGH - FFmpeg is commonly used in web applications for media processing, making internet-facing systems vulnerable to remote attacks via uploaded media files.

🏢 Internal Only: MEDIUM - Internal systems processing media files could be exploited by malicious insiders or through compromised media sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious media file that triggers the null pointer dereference. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit dd01947397b98e94c3f2a79d5820aaf4594f4d3b and later versions

Vendor Advisory: https://trac.ffmpeg.org/ticket/8273

Restart Required: Yes

Instructions:

1. Update FFmpeg to version 4.2.2 or later. 2. Rebuild any applications using FFmpeg libraries. 3. Restart services using FFmpeg.

🔧 Temporary Workarounds

Disable LATM audio processing

all

Configure FFmpeg to avoid processing LATM audio streams which trigger the vulnerability

ffmpeg -acodec copy -vcodec copy -f null -

Input validation filtering

all

Implement file type validation to reject suspicious media files before FFmpeg processing

🧯 If You Can't Patch

Implement strict input validation and sanitization for all media files processed by FFmpeg
Run FFmpeg in isolated containers or sandboxes with minimal privileges to limit impact

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version with 'ffmpeg -version' and verify if it's 4.2.1. Also check if the commit hash matches pre-patch versions.

Check Version:

ffmpeg -version | head -1

Verify Fix Applied:

Verify FFmpeg version is 4.2.2 or later, or that the commit includes dd01947397b98e94c3f2a79d5820aaf4594f4d3b

📡 Detection & Monitoring

Log Indicators:

FFmpeg process crashes with segmentation faults
Error messages related to latm_write_packet or null pointer dereferences

Network Indicators:

Unusual media file uploads to systems using FFmpeg
Multiple failed media processing attempts

SIEM Query:

process.name:ffmpeg AND (event.action:crash OR error.message:*null* OR error.message:*segmentation*)

📊 Metadata

CVE ID: CVE-2020-20896

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-476

Published: September 20, 2021

Last Updated: November 21, 2024

🔗 References

https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/dd01947397b98e94c3f2a79d5820aaf4594f4d3b Mailing List,Patch,Vendor Advisory
https://trac.ffmpeg.org/ticket/8273 Exploit,Issue Tracking,Vendor Advisory
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/dd01947397b98e94c3f2a79d5820aaf4594f4d3b Mailing List,Patch,Vendor Advisory
https://trac.ffmpeg.org/ticket/8273 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-20896, you might also want to check these: