CVE-2024-36613 – FFmpeg versions containing the vulnerable DXA d... (How to Fix)

Q: What is the severity of CVE-2024-36613?

CVE-2024-36613 has a CVSS score of 6.2 (MEDIUM). FFmpeg versions containing the vulnerable DXA demuxer in libavformat have an integer overflow vulnerability that can cause denial-of-service (DoS) or undefined behavior when processing malicious DXA video files. This affects any application or service that uses FFmpeg to process DXA format video files. The vulnerability is in the parsing logic and can be triggered by feeding specially crafted DXA files to FFmpeg.

📋 TL;DR

FFmpeg versions containing the vulnerable DXA demuxer in libavformat have an integer overflow vulnerability that can cause denial-of-service (DoS) or undefined behavior when processing malicious DXA video files. This affects any application or service that uses FFmpeg to process DXA format video files. The vulnerability is in the parsing logic and can be triggered by feeding specially crafted DXA files to FFmpeg.

💻 Affected Systems

Products:

FFmpeg

Versions: Versions up to and including n6.1.1

Operating Systems: All platforms running FFmpeg (Linux, Windows, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Any FFmpeg installation with DXA demuxer support enabled (default configuration) is vulnerable when processing DXA format files.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution (RCE) through memory corruption leading to complete system compromise, though this is less likely given the CWE-190 classification.

🟠

Likely Case

Denial-of-service (DoS) causing FFmpeg process crashes or system instability when processing malicious DXA files.

🟢

If Mitigated

Process isolation limits impact to the FFmpeg instance; proper input validation prevents exploitation.

🌐 Internet-Facing: MEDIUM - Services accepting user-uploaded video files for processing could be targeted, but requires specific DXA format exploitation.

🏢 Internal Only: LOW - Internal systems processing trusted DXA files have minimal risk; exploitation requires crafted malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exists in the GitHub gist reference; exploitation requires feeding a malicious DXA file to FFmpeg.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 50d8e4f27398fd5778485a827d7a2817921f8540 and later versions

Vendor Advisory: https://github.com/ffmpeg/ffmpeg/commit/50d8e4f27398fd5778485a827d7a2817921f8540

Restart Required: No

Instructions:

1. Update FFmpeg to version after commit 50d8e4f27398fd5778485a827d7a2817921f8540. 2. Recompile if using source. 3. Replace binary if using pre-built packages.

🔧 Temporary Workarounds

Disable DXA demuxer

all

Disable DXA format support in FFmpeg to prevent processing of vulnerable file type

ffmpeg -formats | grep dxa
Recompile FFmpeg with --disable-demuxer=dxa

Input validation

linux

Implement file type validation before passing to FFmpeg to reject DXA files

Use file command or magic bytes detection: file --mime-type input.dxa

🧯 If You Can't Patch

Isolate FFmpeg processes in containers or sandboxes to limit blast radius
Implement strict input validation to reject DXA files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version: ffmpeg -version | grep 'version' and compare to n6.1.1 or earlier

Check Version:

ffmpeg -version | head -1

Verify Fix Applied:

Verify FFmpeg version is after commit 50d8e4f27398fd5778485a827d7a2817921f8540 or test with known malicious DXA file

📡 Detection & Monitoring

Log Indicators:

FFmpeg process crashes with segmentation faults
Error logs containing 'dxa.c' or 'libavformat' failures

Network Indicators:

Unusual uploads of DXA format files to video processing services

SIEM Query:

process.name:ffmpeg AND (event.action:crash OR log.level:error)

📊 Metadata

CVE ID: CVE-2024-36613

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: January 3, 2025

Last Updated: June 3, 2025

🔗 References

https://gist.github.com/1047524396/0f4d90ef87553f772f888223085ac806 Third Party Advisory
https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/dxa.c#L125 Product
https://github.com/ffmpeg/ffmpeg/commit/50d8e4f27398fd5778485a827d7a2817921f8540 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36613, you might also want to check these: