CVE-2020-22036 – This is a heap-based buffer overflow vulnerabil... (How to Fix)

Q: What is the severity of CVE-2020-22036?

CVE-2020-22036 has a CVSS score of 8.8 (HIGH). This is a heap-based buffer overflow vulnerability in FFmpeg's filter_intra function that could allow attackers to execute arbitrary code or cause denial of service. It affects FFmpeg 4.2 installations that process video files using the bwdif filter. Systems using FFmpeg for video processing or transcoding are vulnerable.

📋 TL;DR

This is a heap-based buffer overflow vulnerability in FFmpeg's filter_intra function that could allow attackers to execute arbitrary code or cause denial of service. It affects FFmpeg 4.2 installations that process video files using the bwdif filter. Systems using FFmpeg for video processing or transcoding are vulnerable.

💻 Affected Systems

Products:

FFmpeg

Versions: FFmpeg 4.2 specifically; other versions may be affected depending on backports.

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when processing video with the bwdif filter; many FFmpeg installations include this filter by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unstable behavior.

🟢

If Mitigated

Limited impact if proper sandboxing, ASLR, and DEP are enabled; may still cause crashes.

🌐 Internet-Facing: HIGH - FFmpeg often processes user-uploaded media files on web servers.

🏢 Internal Only: MEDIUM - Internal media processing systems could be exploited via malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious video file; public PoC exists in FFmpeg ticket system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FFmpeg 4.2.4 and later; also fixed in git commit 7f8d40f8b3

Vendor Advisory: https://trac.ffmpeg.org/ticket/8261

Restart Required: No

Instructions:

1. Update FFmpeg to version 4.2.4 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade ffmpeg). 3. For Windows: Download latest build from ffmpeg.org. 4. Recompile from source with patched code.

🔧 Temporary Workarounds

Disable bwdif filter

all

Prevent use of the vulnerable filter by removing or disabling it.

ffmpeg -filters | grep bwdif
Recompile FFmpeg without --enable-filter=bwdif

Sandbox FFmpeg processes

linux

Run FFmpeg in container or sandbox to limit impact.

docker run --security-opt no-new-privileges -v /media:/media ffmpeg

🧯 If You Can't Patch

Implement strict input validation for video files; reject suspicious or malformed media.
Deploy network segmentation to isolate FFmpeg servers; monitor for crash logs.

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version: ffmpeg -version | grep 'version 4.2' and confirm it's below 4.2.4.

Check Version:

ffmpeg -version | head -1

Verify Fix Applied:

Verify version is 4.2.4 or higher: ffmpeg -version | grep 'version 4.2.4'.

📡 Detection & Monitoring

Log Indicators:

FFmpeg segmentation fault logs
Application crashes with memory corruption errors
Unexpected process termination

Network Indicators:

Unusual outbound connections from FFmpeg processes
Large number of video upload attempts

SIEM Query:

process.name:"ffmpeg" AND event.action:"segmentation fault"

📊 Metadata

CVE ID: CVE-2020-22036

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 1, 2021

Last Updated: November 21, 2024

🔗 References

https://lists.debian.org/debian-lts-announce/2021/08/msg00018.html Mailing List,Third Party Advisory
https://trac.ffmpeg.org/ticket/8261 Exploit,Vendor Advisory
https://www.debian.org/security/2021/dsa-4990 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00018.html Mailing List,Third Party Advisory
https://trac.ffmpeg.org/ticket/8261 Exploit,Vendor Advisory
https://www.debian.org/security/2021/dsa-4990 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-22036, you might also want to check these: