CVE-2020-35965
📋 TL;DR
CVE-2020-35965 is an out-of-bounds write vulnerability in FFmpeg's EXR image decoder that could allow attackers to execute arbitrary code or cause denial of service. This affects systems using FFmpeg to process OpenEXR image files. The vulnerability exists due to incorrect calculations for memset zero operations in the decode_frame function.
💻 Affected Systems
- FFmpeg
📦 What is this software?
Ffmpeg by Ffmpeg
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise
Likely Case
Application crash or denial of service
If Mitigated
Limited impact with proper sandboxing and memory protection
🎯 Exploit Status
Exploitation requires crafting malicious EXR files; proof-of-concept available in OSS-Fuzz reports
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FFmpeg 4.3.2 and later
Vendor Advisory: https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b
Restart Required: Yes
Instructions:
1. Update FFmpeg to version 4.3.2 or later. 2. Rebuild applications using FFmpeg libraries. 3. Restart affected services.
🔧 Temporary Workarounds
Disable EXR decoder
allDisable the vulnerable EXR decoder module in FFmpeg
ffmpeg -disable-decoder=exr
Input validation
allImplement file type validation before processing EXR files
🧯 If You Can't Patch
- Implement strict input validation for EXR files
- Run FFmpeg in sandboxed/containerized environments with limited privileges
🔍 How to Verify
Check if Vulnerable:
Check FFmpeg version: ffmpeg -version | grep 'version'Check Version:
ffmpeg -version | head -1Verify Fix Applied:
Verify version is 4.3.2 or higher and test with known malicious EXR files📡 Detection & Monitoring
Log Indicators:
- FFmpeg segmentation faults
- Memory access violation errors
- Abnormal process termination
Network Indicators:
- Unexpected EXR file uploads
- Large number of EXR processing requests
SIEM Query:
process.name:ffmpeg AND (event.action:segfault OR event.action:memory_violation)🔗 References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26532
- https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b
- https://github.com/FFmpeg/FFmpeg/commit/b0a8b40294ea212c1938348ff112ef1b9bf16bb3
- https://lists.debian.org/debian-lts-announce/2021/01/msg00026.html
- https://security.gentoo.org/glsa/202105-24
- https://www.debian.org/security/2021/dsa-4990
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26532
- https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b
- https://github.com/FFmpeg/FFmpeg/commit/b0a8b40294ea212c1938348ff112ef1b9bf16bb3
- https://lists.debian.org/debian-lts-announce/2021/01/msg00026.html
- https://security.gentoo.org/glsa/202105-24
- https://www.debian.org/security/2021/dsa-4990
