CVE-2020-22034 – A heap-based buffer overflow vulnerability in F... (How to Fix)

Q: What is the severity of CVE-2020-22034?

CVE-2020-22034 has a CVSS score of 8.8 (HIGH). A heap-based buffer overflow vulnerability in FFmpeg's floodfill filter allows attackers to execute arbitrary code or cause denial of service by processing specially crafted video files. This affects any system using FFmpeg 4.2 for video processing, including media servers, video editing software, and web applications with video upload capabilities.

📋 TL;DR

A heap-based buffer overflow vulnerability in FFmpeg's floodfill filter allows attackers to execute arbitrary code or cause denial of service by processing specially crafted video files. This affects any system using FFmpeg 4.2 for video processing, including media servers, video editing software, and web applications with video upload capabilities.

💻 Affected Systems

Products:

FFmpeg

Versions: FFmpeg 4.2

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when floodfill filter is used, which may be enabled in various video processing pipelines.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially disrupting video processing services.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially just crashes in isolated containers.

🌐 Internet-Facing: HIGH - Attackers can exploit by uploading malicious video files to web applications or media servers.

🏢 Internal Only: MEDIUM - Requires user interaction to open malicious files, but could spread through shared media.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious video files; public proof-of-concept exists in vulnerability reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FFmpeg 4.2.4 and later

Vendor Advisory: https://trac.ffmpeg.org/ticket/8236

Restart Required: No

Instructions:

1. Update FFmpeg to version 4.2.4 or later using package manager (apt-get upgrade ffmpeg, yum update ffmpeg, etc.) 2. Recompile from source if using custom builds. 3. Restart any services using FFmpeg.

🔧 Temporary Workarounds

Disable floodfill filter

all

Remove or disable the vf_floodfill filter from FFmpeg configurations to prevent exploitation.

Check FFmpeg configurations and remove '-vf floodfill' or similar filter references

Input validation and sandboxing

linux

Implement strict input validation for video files and run FFmpeg in sandboxed/containerized environments.

Use AppArmor: aa-genprof ffmpeg
Use Docker: docker run --security-opt seccomp=ffmpeg.json

🧯 If You Can't Patch

Implement network segmentation to isolate FFmpeg servers from critical systems
Deploy application allowlisting to prevent execution of unauthorized FFmpeg processes

🔍 How to Verify

Check if Vulnerable:

Run: ffmpeg -version | grep 'version 4.2' && echo 'Check if version is 4.2.0-4.2.3'

Check Version:

ffmpeg -version | head -1

Verify Fix Applied:

Run: ffmpeg -version | grep 'version 4.2.4\|version 4.3\|version 5' && echo 'Patched if version >= 4.2.4'

📡 Detection & Monitoring

Log Indicators:

FFmpeg segmentation fault/crash logs
Unexpected process termination of ffmpeg
Error messages referencing floodfill or buffer overflow

Network Indicators:

Unusual video file uploads to web applications
Multiple failed FFmpeg processing attempts

SIEM Query:

source="*ffmpeg*" AND ("segmentation fault" OR "buffer overflow" OR "floodfill")

📊 Metadata

CVE ID: CVE-2020-22034

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: May 27, 2021

Last Updated: November 21, 2024

🔗 References

https://cwe.mitre.org/data/definitions/122.html Third Party Advisory
https://trac.ffmpeg.org/ticket/8236 Exploit,Issue Tracking,Vendor Advisory
https://www.debian.org/security/2021/dsa-4990 Third Party Advisory
https://cwe.mitre.org/data/definitions/122.html Third Party Advisory
https://trac.ffmpeg.org/ticket/8236 Exploit,Issue Tracking,Vendor Advisory
https://www.debian.org/security/2021/dsa-4990 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-22034, you might also want to check these: