CVE-2023-51794
📋 TL;DR
A buffer overflow vulnerability in FFmpeg's stereowiden audio filter allows local attackers to execute arbitrary code by providing specially crafted audio input. This affects systems running vulnerable FFmpeg versions where the filter is used. The vulnerability requires local access to the system.
💻 Affected Systems
- FFmpeg
📦 What is this software?
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
Ffmpeg by Ffmpeg
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise and persistent backdoor installation.
Likely Case
Local user gains elevated privileges or executes arbitrary code in the context of the FFmpeg process.
If Mitigated
Exploitation fails due to security controls like ASLR, DEP, or process isolation.
🎯 Exploit Status
Requires local access and ability to run FFmpeg with crafted audio input targeting the stereowiden filter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in FFmpeg git commit after N113007-g8d24a28d06
Vendor Advisory: https://trac.ffmpeg.org/ticket/10746
Restart Required: No
Instructions:
1. Update FFmpeg to latest version from official repository. 2. Recompile if using source. 3. Verify stereowiden filter is patched.
🔧 Temporary Workarounds
Disable stereowiden filter
allPrevent use of vulnerable filter by removing or blocking it.
# Remove filter from FFmpeg build configuration
# Recompile without stereowiden support
Restrict FFmpeg execution
linuxLimit who can execute FFmpeg to trusted users only.
chmod 750 /usr/bin/ffmpeg
setfacl -m u:trusteduser:rx /usr/bin/ffmpeg
🧯 If You Can't Patch
- Implement strict access controls to limit FFmpeg execution to necessary users only.
- Monitor FFmpeg process execution and filter usage for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check FFmpeg version: ffmpeg -version | grep 'version' and compare to vulnerable version N113007-g8d24a28d06.Check Version:
ffmpeg -version | head -1Verify Fix Applied:
Update FFmpeg and verify version is newer than N113007-g8d24a28d06, or test with known proof-of-concept if available.📡 Detection & Monitoring
Log Indicators:
- FFmpeg crashes with segmentation faults
- Unusual FFmpeg process spawning with stereowiden filter
Network Indicators:
- None - local exploitation only
SIEM Query:
Process:ffmpeg AND (CommandLine:*stereowiden* OR ExitCode:139)