Login Sign Up

CVE-2024-31581

9.8 CRITICAL

📋 TL;DR

CVE-2024-31581 is an improper array index validation vulnerability in FFmpeg's H.266 video codec parser that allows attackers to trigger undefined behavior, potentially leading to crashes or arbitrary code execution. This affects FFmpeg version n6.1 and systems using this version for video processing. The vulnerability is particularly dangerous due to its high CVSS score of 9.8 and potential for remote exploitation.

💻 Affected Systems

Products:
  • FFmpeg
Versions: n6.1 (specifically vulnerable version)
Operating Systems: Linux, Windows, macOS, BSD - any OS running FFmpeg
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or service using FFmpeg n6.1 for H.266 video processing is vulnerable. This includes media servers, video editing software, web applications, and streaming services.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash leading to denial of service, with potential for memory corruption that could be leveraged for code execution.

🟢

If Mitigated

Application crash with limited impact if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: HIGH - FFmpeg is commonly used in web applications for video processing, making internet-facing systems vulnerable to remote attacks.
🏢 Internal Only: MEDIUM - Internal systems using FFmpeg for video processing are vulnerable, but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

The vulnerability is in a widely used library with public technical details available. Attackers can craft malicious H.266 video files to trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: n6.1.1 and later

Vendor Advisory: https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196

Restart Required: Yes

Instructions:

1. Update FFmpeg to version n6.1.1 or later. 2. For Linux systems: Use package manager (apt, yum, dnf) to update. 3. For compiled installations: Download latest source from ffmpeg.org and recompile. 4. Restart all services using FFmpeg.

🔧 Temporary Workarounds

Disable H.266 codec support

all

Temporarily disable H.266/HEVC codec processing in FFmpeg configuration

Recompile FFmpeg with --disable-decoder=hevc --disable-demuxer=hevc flags

Input validation for video files

all

Implement strict validation of video file inputs before processing with FFmpeg

🧯 If You Can't Patch

  • Isolate FFmpeg processes using containerization or sandboxing with minimal privileges
  • Implement network segmentation to restrict access to FFmpeg services

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version: ffmpeg -version | grep 'FFmpeg version' and verify if it's n6.1

Check Version:

ffmpeg -version | grep 'FFmpeg version'

Verify Fix Applied:

Verify FFmpeg version is n6.1.1 or later: ffmpeg -version | grep 'FFmpeg version'

📡 Detection & Monitoring

Log Indicators:

  • FFmpeg segmentation faults
  • Memory access violation errors
  • Unexpected FFmpeg process termination

Network Indicators:

  • Unusual video file uploads to processing endpoints
  • Multiple failed video processing attempts

SIEM Query:

process.name:"ffmpeg" AND (event.action:"segmentation_fault" OR event.outcome:"failure")

📊 Metadata

CVE ID: CVE-2024-31581
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-129
Published: April 17, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31581, you might also want to check these:

CVE-2020-27483 9.9

This vulnerability in Garmin Forerunner 235 devices allows attackers to potentially execute arbitrar...

Same vulnerability type (CWE-129)
CVE-2020-27485 9.9

This vulnerability in Garmin Forerunner 235 devices allows malicious ConnectIQ store applications to...

Same vulnerability type (CWE-129)
CVE-2021-38563 9.8

This vulnerability in Foxit PDF software allows attackers to trigger memory corruption through malfo...

Same vulnerability type (CWE-129)