CVE-2024-36619 – CVE-2024-36619 is an integer overflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2024-36619?

CVE-2024-36619 has a CVSS score of 5.3 (MEDIUM). CVE-2024-36619 is an integer overflow vulnerability in FFmpeg's WAVARC decoder that can cause a denial-of-service condition when processing specially crafted WAVARC audio files. This affects any system or application using FFmpeg's libavcodec library to decode WAVARC files. The vulnerability is present in FFmpeg version 6.1.1 and potentially earlier versions.

📋 TL;DR

CVE-2024-36619 is an integer overflow vulnerability in FFmpeg's WAVARC decoder that can cause a denial-of-service condition when processing specially crafted WAVARC audio files. This affects any system or application using FFmpeg's libavcodec library to decode WAVARC files. The vulnerability is present in FFmpeg version 6.1.1 and potentially earlier versions.

💻 Affected Systems

Products:

FFmpeg
Applications using FFmpeg libavcodec library

Versions: FFmpeg 6.1.1 and potentially earlier versions

Operating Systems: Linux, Windows, macOS, BSD, All platforms running FFmpeg

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with WAVARC decoder enabled (default in FFmpeg). Applications must process WAVARC audio files to be vulnerable.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application or service crash leading to sustained denial-of-service, potentially affecting availability of media processing services.

🟠

Likely Case

Application crash or hang when processing malicious WAVARC files, requiring restart of affected services.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing only isolated process crashes.

🌐 Internet-Facing: MEDIUM - Applications accepting user-uploaded audio files could be targeted, but requires specific WAVARC format exploitation.

🏢 Internal Only: LOW - Requires processing of malicious WAVARC files, which is less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious WAVARC file and getting it processed by vulnerable FFmpeg. No authentication needed if file processing is accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 28c7094b25b689185155a6833caf2747b94774a4 and later versions

Vendor Advisory: https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4

Restart Required: Yes

Instructions:

1. Update FFmpeg to version containing commit 28c7094b25b689185155a6833caf2747b94774a4 or later. 2. Rebuild any applications using FFmpeg libraries. 3. Restart affected services using FFmpeg.

🔧 Temporary Workarounds

Disable WAVARC decoder

all

Disable the vulnerable WAVARC decoder in FFmpeg configuration

Recompile FFmpeg with --disable-decoder=wavarc configure option

Input filtering

all

Block or filter WAVARC files from being processed

Implement file type validation to reject .wavarc or WAVARC-encoded files

🧯 If You Can't Patch

Implement strict input validation to reject suspicious or malformed audio files
Run FFmpeg in sandboxed/containerized environments with resource limits to contain crashes

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version and if it contains the vulnerable code from line 651 in wavarc.c

Check Version:

ffmpeg -version | grep 'version'

Verify Fix Applied:

Verify FFmpeg version includes commit 28c7094b25b689185155a6833caf2747b94774a4 or test with known malicious WAVARC files

📡 Detection & Monitoring

Log Indicators:

FFmpeg process crashes
Segmentation fault errors
Abnormal termination of media processing services

Network Indicators:

Multiple failed media processing requests
Unusual WAVARC file uploads

SIEM Query:

process.name:"ffmpeg" AND (event.action:"crashed" OR log.level:"error")

📊 Metadata

CVE ID: CVE-2024-36619

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-190

Published: November 29, 2024

Last Updated: June 3, 2025

🔗 References

https://gist.github.com/1047524396/fad68e8251f4e34a1bb838de697d5119 Third Party Advisory
https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavcodec/wavarc.c#L651 Product
https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36619, you might also want to check these: