CVE-2020-24994 – CVE-2020-24994 is a stack overflow vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-24994?

CVE-2020-24994 has a CVSS score of 8.8 (HIGH). CVE-2020-24994 is a stack overflow vulnerability in libass's parse_tag function that allows remote attackers to cause denial of service or execute arbitrary code via crafted subtitle files. This affects applications using vulnerable versions of libass for subtitle rendering. Users of media players, video editors, or other software that processes ASS/SSA subtitle files are at risk.

📋 TL;DR

CVE-2020-24994 is a stack overflow vulnerability in libass's parse_tag function that allows remote attackers to cause denial of service or execute arbitrary code via crafted subtitle files. This affects applications using vulnerable versions of libass for subtitle rendering. Users of media players, video editors, or other software that processes ASS/SSA subtitle files are at risk.

💻 Affected Systems

Products:

libass
Applications using libass (e.g., FFmpeg, VLC, mpv, HandBrake, various media players)

Versions: libass versions before 0.15.0

Operating Systems: Linux, Windows, macOS, BSD, Other Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any application linking against vulnerable libass versions is affected when processing ASS/SSA subtitle files.

📦 What is this software?

Libass by Libass Project

View all CVEs affecting Libass →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application using libass, potentially leading to full system compromise.

🟠

Likely Case

Application crash causing denial of service, disrupting media playback or processing.

🟢

If Mitigated

No impact if patched version is used or if untrusted subtitle files are blocked.

🌐 Internet-Facing: MEDIUM - Applications processing subtitle files from untrusted sources (like media players opening files from the web) are vulnerable.

🏢 Internal Only: LOW - Internal systems not processing untrusted subtitle files have minimal exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is available in GitHub issues. Exploitation requires the victim to open a malicious subtitle file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libass 0.15.0 and later

Vendor Advisory: https://github.com/libass/libass/security/advisories/GHSA-5q2r-92pq-9f9q

Restart Required: Yes

Instructions:

1. Update libass to version 0.15.0 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade libass' (Debian/Ubuntu) or 'sudo yum update libass' (RHEL/CentOS). 3. For applications using embedded libass, update the application to a version with patched libass. 4. Restart affected applications.

🔧 Temporary Workarounds

Block untrusted subtitle files

all

Prevent processing of subtitle files from untrusted sources.

Use application sandboxing

linux

Run media players in sandboxed environments to limit impact.

firejail vlc
bwrap --dev-bind / / --proc /proc --dev /dev --ro-bind /usr /usr vlc

🧯 If You Can't Patch

Disable subtitle support in vulnerable applications if possible.
Implement strict file validation to reject malformed ASS/SSA files before processing.

🔍 How to Verify

Check if Vulnerable:

Check libass version: 'pkg-config --modversion libass' or 'ldconfig -p | grep libass'. If version is below 0.15.0, it's vulnerable.

Check Version:

pkg-config --modversion libass 2>/dev/null || echo 'libass not found'

Verify Fix Applied:

Confirm libass version is 0.15.0 or higher using the same commands.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults when opening subtitle files
Stack overflow errors in application logs

Network Indicators:

Downloads of subtitle files from untrusted sources followed by application crashes

SIEM Query:

EventID=1000 OR EventID=1001 (Application Crash) AND ProcessName contains ('vlc' OR 'mpv' OR 'ffmpeg') AND CommandLine contains '.ass' OR '.ssa'

📊 Metadata

CVE ID: CVE-2020-24994

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-770

Published: March 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e Patch,Third Party Advisory
https://github.com/libass/libass/issues/422 Patch,Third Party Advisory
https://github.com/libass/libass/issues/422#issuecomment-806002919 Issue Tracking,Patch,Third Party Advisory
https://github.com/libass/libass/issues/423 Third Party Advisory
https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e Patch,Third Party Advisory
https://github.com/libass/libass/issues/422 Patch,Third Party Advisory
https://github.com/libass/libass/issues/422#issuecomment-806002919 Issue Tracking,Patch,Third Party Advisory
https://github.com/libass/libass/issues/423 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24994, you might also want to check these: