CVE-2024-5197 – This CVE describes integer overflow vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-5197?

CVE-2024-5197 has a CVSS score of 9.1 (CRITICAL). This CVE describes integer overflow vulnerabilities in libvpx (VP8/VP9 video codec library) that can occur when processing large image dimensions or alignment parameters. Attackers could exploit these overflows to cause memory corruption, potentially leading to crashes or arbitrary code execution. Any application using vulnerable libvpx versions for video processing is affected.

📋 TL;DR

This CVE describes integer overflow vulnerabilities in libvpx (VP8/VP9 video codec library) that can occur when processing large image dimensions or alignment parameters. Attackers could exploit these overflows to cause memory corruption, potentially leading to crashes or arbitrary code execution. Any application using vulnerable libvpx versions for video processing is affected.

💻 Affected Systems

Products:

libvpx
Applications using libvpx (Chrome, Firefox, media players, video editors)

Versions: All versions prior to 1.14.1

Operating Systems: Linux, Windows, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that calls vpx_img_alloc() or vpx_img_wrap() with user-controlled parameters is vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Libvpx by Webmproject

View all CVEs affecting Libvpx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes (denial of service) or memory corruption leading to unstable behavior.

🟢

If Mitigated

Controlled crashes with minimal impact if proper sandboxing and memory protections are in place.

🌐 Internet-Facing: HIGH - Many video processing applications are internet-facing (web browsers, media servers, video conferencing).

🏢 Internal Only: MEDIUM - Internal applications using libvpx for video processing could be exploited through malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious video files or parameters, but no public exploits are currently known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.14.1

Vendor Advisory: https://g-issues.chromium.org/issues/332382766

Restart Required: Yes

Instructions:

1. Update libvpx to version 1.14.1 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade libvpx). 3. For applications: Rebuild/reinstall with patched libvpx. 4. Restart affected applications/services.

🔧 Temporary Workarounds

Input validation

all

Validate image dimensions and alignment parameters before passing to libvpx functions.

Implement parameter bounds checking in application code

Memory sandboxing

linux

Run vulnerable applications in sandboxed environments with limited privileges.

Use containers (Docker), SELinux, or AppArmor policies

🧯 If You Can't Patch

Isolate vulnerable systems from untrusted networks and users.
Implement strict file upload controls and scan all video files before processing.

🔍 How to Verify

Check if Vulnerable:

Check libvpx version: dpkg -l | grep libvpx (Debian/Ubuntu) or rpm -qa | grep libvpx (RHEL/CentOS).

Check Version:

vpxenc --version 2>&1 | grep -i 'libvpx' || pkg-config --modversion vpx

Verify Fix Applied:

Confirm version is 1.14.1 or later using version check command.

📡 Detection & Monitoring

Log Indicators:

Application crashes with libvpx in stack trace
Memory access violation errors

Network Indicators:

Unusual video file uploads to web applications
Large dimension parameters in API calls

SIEM Query:

source="application.log" AND "libvpx" AND ("segmentation fault" OR "access violation")

📊 Metadata

CVE ID: CVE-2024-5197

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-190

Published: June 3, 2024

Last Updated: July 22, 2025

🔗 References

https://g-issues.chromium.org/issues/332382766 Exploit,Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/06/msg00005.html Mailing List,Third Party Advisory
https://g-issues.chromium.org/issues/332382766 Exploit,Issue Tracking
https://lists.debian.org/debian-lts-announce/2024/06/msg00005.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5197, you might also want to check these: