CVE-2024-35366 – This CVE-2024-35366 is an integer overflow vuln... (How to Fix)

Q: What is the severity of CVE-2024-35366?

CVE-2024-35366 has a CVSS score of 9.1 (CRITICAL). This CVE-2024-35366 is an integer overflow vulnerability in FFmpeg's libavformat module that allows attackers to cause denial of service or potentially execute arbitrary code by providing malicious input with negative duration values. It affects systems running FFmpeg version n6.1.1 when processing certain media files. The vulnerability is particularly dangerous because FFmpeg is widely used for media processing across many applications and platforms.

📋 TL;DR

This CVE-2024-35366 is an integer overflow vulnerability in FFmpeg's libavformat module that allows attackers to cause denial of service or potentially execute arbitrary code by providing malicious input with negative duration values. It affects systems running FFmpeg version n6.1.1 when processing certain media files. The vulnerability is particularly dangerous because FFmpeg is widely used for media processing across many applications and platforms.

💻 Affected Systems

Products:

FFmpeg

Versions: n6.1.1 specifically (check for other affected versions in the FFmpeg release tree)

Operating Systems: Linux, Windows, macOS, BSD - all platforms running FFmpeg

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or service that uses FFmpeg's libavformat library to process media files is potentially vulnerable. This includes media servers, video editing software, web applications with media upload features, and various multimedia tools.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service causing FFmpeg to crash, potentially disrupting media processing services or applications.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially just application crashes.

🌐 Internet-Facing: HIGH - FFmpeg is commonly used in web applications for media processing, making internet-facing systems vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal systems using FFmpeg for media processing could be exploited through malicious files, but requires file upload/processing capabilities.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a core parsing function and requires only specially crafted media files. Public references show the exact vulnerable code location, making exploitation straightforward for attackers with basic reverse engineering skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 0bed22d597b78999151e3bde0768b7fe763fc2a6 and later versions

Vendor Advisory: https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6

Restart Required: Yes

Instructions:

1. Update FFmpeg to the latest version from the official repository. 2. Recompile any applications that statically link FFmpeg. 3. Restart all services and applications using FFmpeg. 4. Verify the fix by checking the version and testing with known vulnerable inputs.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement pre-processing validation for media files before passing to FFmpeg

# Example: Use file command to validate before processing
if file --mime-type "$input_file" | grep -q "video/\|audio/\|image/"; then
  ffmpeg -i "$input_file" ...
else
  echo "Invalid file type"
  exit 1
fi

Sandbox execution

linux

Run FFmpeg in a container or sandbox with limited privileges

# Docker example
docker run --rm -v $(pwd):/data ffmpeg -i /data/input.mp4 /data/output.mp4
# Bubblewrap example
bwrap --ro-bind /usr /usr --ro-bind /lib /lib --ro-bind /lib64 /lib64 --bind $(pwd) $(pwd) --dev /dev --proc /proc ffmpeg -i input.mp4 output.mp4

🧯 If You Can't Patch

Disable or restrict media file upload/processing capabilities in vulnerable applications
Implement network segmentation to isolate systems running vulnerable FFmpeg versions

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version: ffmpeg -version | grep 'version' and verify if it's n6.1.1. Test with a crafted media file containing negative duration values.

Check Version:

ffmpeg -version | grep -E 'version|built'

Verify Fix Applied:

Update FFmpeg and verify the version is newer than n6.1.1. Test with the same crafted media file that previously caused crashes - it should now be rejected or handled safely.

📡 Detection & Monitoring

Log Indicators:

FFmpeg segmentation faults or abnormal termination
Unexpected process crashes during media processing
Error messages mentioning sbgdec.c or parse_options

Network Indicators:

Unusual media file uploads to web applications
Multiple failed media processing attempts
Traffic patterns suggesting media file fuzzing

SIEM Query:

source="*ffmpeg*" AND ("segmentation fault" OR "SIGSEGV" OR "aborted" OR "parse_options")

📊 Metadata

CVE ID: CVE-2024-35366

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-190

Published: November 29, 2024

Last Updated: June 3, 2025

🔗 References

https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf Third Party Advisory
https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389 Product
https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35366, you might also want to check these: