CVE-2024-22860
📋 TL;DR
This integer overflow vulnerability in FFmpeg's JPEG XL Animation decoder allows remote attackers to execute arbitrary code by sending specially crafted files. It affects all systems running FFmpeg versions before n6.1 that process JPEG XL animations. Attackers can exploit this without authentication to achieve remote code execution.
💻 Affected Systems
- FFmpeg
📦 What is this software?
Ffmpeg by Ffmpeg
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Remote code execution allowing attackers to run arbitrary commands, install malware, or create persistent backdoors on vulnerable systems.
If Mitigated
Denial of service or application crash if exploit attempts are blocked or fail, but system remains intact.
🎯 Exploit Status
The vulnerability was discovered through fuzzing and has a public proof-of-concept available. The high CVSS score and remote nature make weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FFmpeg n6.1 and later
Vendor Advisory: https://github.com/FFmpeg/FFmpeg/commit/d2e8974699a9e35cc1a926bf74a972300d629cd5
Restart Required: No
Instructions:
1. Update FFmpeg to version n6.1 or later using your package manager or from source. 2. For Linux: Use apt-get upgrade ffmpeg, yum update ffmpeg, or similar. 3. For Windows: Download latest build from ffmpeg.org. 4. Recompile any applications using FFmpeg libraries with the updated version.
🔧 Temporary Workarounds
Disable JPEG XL Animation Decoder
allTemporarily disable the vulnerable JPEG XL animation decoder component in FFmpeg
ffmpeg -disable-decoder=jpegxl_anim
Block JPEG XL Files at Perimeter
allConfigure network filtering to block JPEG XL (.jxl) files at firewalls or web application firewalls
🧯 If You Can't Patch
- Implement strict input validation to reject or sanitize JPEG XL files before processing
- Isolate FFmpeg processing to dedicated, segmented containers or virtual machines with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Run: ffmpeg -version | grep 'version' and check if version is before n6.1Check Version:
ffmpeg -version | grep 'version'Verify Fix Applied:
Run: ffmpeg -version | grep 'version' and confirm version is n6.1 or later📡 Detection & Monitoring
Log Indicators:
- FFmpeg process crashes with segmentation faults
- Unexpected child processes spawned from FFmpeg
- Abnormal memory usage patterns in FFmpeg processes
Network Indicators:
- Inbound connections followed by FFmpeg process execution
- Network transfers of JPEG XL files to media processing systems
SIEM Query:
process.name:ffmpeg AND (event.action:process_start OR event.action:crash)