Login Sign Up

CVE-2020-24995

7.8 HIGH
Buffer Overflow

📋 TL;DR

This CVE describes a buffer overflow vulnerability in the sniff_channel_order function within ffmpeg's AAC decoder. Attackers can exploit this to execute arbitrary code locally on affected systems. Users running vulnerable versions of ffmpeg that process malicious AAC audio files are at risk.

💻 Affected Systems

Products:
  • ffmpeg
Versions: 3.1.2 and potentially earlier versions
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing specially crafted AAC audio files through the affected decoder.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining local privilege escalation and persistent access.

🟠

Likely Case

Local code execution leading to data theft, system manipulation, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper sandboxing, privilege separation, and input validation are implemented.

🌐 Internet-Facing: LOW - Requires local access or malicious file upload/processing.
🏢 Internal Only: MEDIUM - Internal users could exploit via malicious files, but requires local execution context.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and ability to process malicious AAC files through ffmpeg.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit d6f293353c94c7ce200f6e0975ae3de49787f91f and later versions

Vendor Advisory: https://trac.ffmpeg.org/ticket/8845

Restart Required: No

Instructions:

1. Update ffmpeg to version with commit d6f293353c94c7ce200f6e0975ae3de49787f91f or later. 2. Recompile if using source. 3. Replace binary if using pre-compiled packages.

🔧 Temporary Workarounds

Disable AAC decoder

all

Prevent use of vulnerable AAC decoder component

ffmpeg -codecs | grep aac
Recompile ffmpeg without AAC support if possible

Sandbox ffmpeg execution

linux

Run ffmpeg in restricted environment

firejail --net=none ffmpeg [options]
bubblewrap --unshare-all --new-session ffmpeg [options]

🧯 If You Can't Patch

  • Implement strict input validation for audio files before processing with ffmpeg
  • Run ffmpeg with minimal privileges and in isolated containers/sandboxes

🔍 How to Verify

Check if Vulnerable:

Check ffmpeg version: ffmpeg -version | grep 'ffmpeg version' and compare to 3.1.2

Check Version:

ffmpeg -version | head -1

Verify Fix Applied:

Verify commit hash includes d6f293353c94c7ce200f6e0975ae3de49787f91f: git log --oneline | grep d6f2933

📡 Detection & Monitoring

Log Indicators:

  • Segmentation faults in ffmpeg processes
  • Unusual ffmpeg process spawning
  • Large memory allocation failures

Network Indicators:

  • Unexpected ffmpeg network connections post-exploit

SIEM Query:

Process:ffmpeg AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2020-24995
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24995, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)