CVE-2024-36615 – FFmpeg n7.0 has a race condition vulnerability ... (How to Fix)

📋 TL;DR

FFmpeg n7.0 has a race condition vulnerability in its VP9 decoder where video encoding parameters can be accessed simultaneously by decoder and output threads, causing a data race. This affects any application using FFmpeg's VP9 decoder functionality, particularly media processing servers and video applications.

💻 Affected Systems

Products:

FFmpeg

Versions: n7.0 branch specifically

Operating Systems: All platforms running FFmpeg

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects VP9 decoder functionality. Applications must be actively decoding VP9 video streams.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to application crash, denial of service, or potential arbitrary code execution in FFmpeg process context.

🟠

Likely Case

Application instability, crashes, or corrupted video output during VP9 decoding operations.

🟢

If Mitigated

Minor performance impact or occasional decoding errors if race condition triggers.

🌐 Internet-Facing: MEDIUM - Exploitable if attackers can upload or stream malicious VP9 content to vulnerable servers.

🏢 Internal Only: LOW - Requires local access or specific media processing workflows to trigger.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Race conditions are timing-dependent and difficult to reliably exploit. Requires specific VP9 content and concurrent thread execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 0ba058579f332b3060d8470a04ddd3fbf305be61 and later versions

Vendor Advisory: https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61

Restart Required: Yes

Instructions:

1. Update FFmpeg to version after commit 0ba058579f332b3060d8470a04ddd3fbf305be61
2. Recompile if using source
3. Restart all applications using FFmpeg

🔧 Temporary Workarounds

Disable VP9 decoder

all

Prevent use of vulnerable VP9 decoder by disabling it at compile time or runtime

Configure with --disable-decoder=vp9 during build

Single-threaded decoding

all

Force single-threaded operation to avoid race condition

Set AVCodecContext.thread_count = 1

🧯 If You Can't Patch

Isolate FFmpeg processes in containers with limited privileges
Implement input validation to reject untrusted VP9 content

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version and if built from n7.0 branch: ffmpeg -version | grep 'version\|commit'

Check Version:

ffmpeg -version

Verify Fix Applied:

Verify commit hash includes 0ba058579f332b3060d8470a04ddd3fbf305be61 or later

📡 Detection & Monitoring

Log Indicators:

FFmpeg segmentation faults
VP9 decoder errors
Memory access violation logs

Network Indicators:

Unexpected VP9 stream termination
Media server crashes during decoding

SIEM Query:

process.name:"ffmpeg" AND (event.type:"crash" OR error.message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2024-36615

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-362

Published: November 29, 2024

Last Updated: June 3, 2025

🔗 References

https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb Third Party Advisory
https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738 Product
https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36615, you might also want to check these: