Login Sign Up

CVE-2020-22017

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This heap-based buffer overflow vulnerability in FFmpeg's drawutils.c allows attackers to corrupt memory by sending specially crafted media files. It affects systems using FFmpeg 4.2 for media processing, potentially leading to arbitrary code execution. Media servers, video processing applications, and any software using vulnerable FFmpeg libraries are at risk.

💻 Affected Systems

Products:
  • FFmpeg
  • Software using FFmpeg libraries
Versions: FFmpeg 4.2
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Any application linking against vulnerable FFmpeg libraries is affected, not just the FFmpeg command-line tool.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the FFmpeg process, potentially leading to complete system compromise.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unstable behavior.

🟢

If Mitigated

Limited impact if FFmpeg runs in sandboxed environments with minimal privileges.

🌐 Internet-Facing: HIGH - FFmpeg often processes untrusted media files from external sources.
🏢 Internal Only: MEDIUM - Risk exists when processing internal media files, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious media files that trigger the buffer overflow during rectangle filling operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FFmpeg 4.2.4 and later

Vendor Advisory: https://trac.ffmpeg.org/ticket/8309

Restart Required: Yes

Instructions:

1. Update FFmpeg to version 4.2.4 or later using your package manager. 2. For compiled applications, recompile with updated FFmpeg libraries. 3. Restart all services using FFmpeg.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for media files before processing with FFmpeg.

Sandbox Execution

linux

Run FFmpeg in a sandboxed environment with minimal privileges.

firejail --net=none ffmpeg [options]

🧯 If You Can't Patch

  • Isolate FFmpeg processing to dedicated, segmented systems with no sensitive data.
  • Implement network-level controls to prevent untrusted media files from reaching vulnerable systems.

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version: ffmpeg -version | grep 'version'

Check Version:

ffmpeg -version | grep 'version'

Verify Fix Applied:

Confirm version is 4.2.4 or later: ffmpeg -version | grep 'version'

📡 Detection & Monitoring

Log Indicators:

  • FFmpeg segmentation faults
  • Memory corruption errors in application logs
  • Unexpected FFmpeg process termination

Network Indicators:

  • Unusual media file uploads to processing systems
  • Traffic patterns suggesting exploit delivery

SIEM Query:

process_name:"ffmpeg" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2020-22017
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: May 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-22017, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)