CVE-2025-10256 – A NULL pointer dereference vulnerability in FFm... (How to Fix)

Q: What is the severity of CVE-2025-10256?

CVE-2025-10256 has a CVSS score of 5.3 (MEDIUM). A NULL pointer dereference vulnerability in FFmpeg's Firequalizer filter allows attackers to cause denial of service by crashing applications that process malicious media files. This affects any software using FFmpeg with the Firequalizer filter enabled, including media players, video editors, and streaming services. The vulnerability is triggered when the filter attempts to allocate memory that fails but isn't properly checked.

📋 TL;DR

A NULL pointer dereference vulnerability in FFmpeg's Firequalizer filter allows attackers to cause denial of service by crashing applications that process malicious media files. This affects any software using FFmpeg with the Firequalizer filter enabled, including media players, video editors, and streaming services. The vulnerability is triggered when the filter attempts to allocate memory that fails but isn't properly checked.

💻 Affected Systems

Products:

FFmpeg
Software using FFmpeg libraries (VLC, HandBrake, OBS Studio, etc.)

Versions: FFmpeg versions before commit a25462482c02c004d685a8fcf2fa63955aaa0931

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Firequalizer filter is explicitly enabled during media processing.

📦 What is this software?

Ffmpeg by Ffmpeg

View all CVEs affecting Ffmpeg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potentially disrupting media processing pipelines or services that rely on FFmpeg for real-time processing.

🟠

Likely Case

Application crash when processing malicious media files, causing temporary service disruption until the process restarts.

🟢

If Mitigated

No impact if the Firequalizer filter is disabled or if patched versions are used.

🌐 Internet-Facing: MEDIUM - Exploitation requires user interaction (processing malicious files) but could affect web services that process user-uploaded media.

🏢 Internal Only: LOW - Requires local access or user interaction with malicious files, limited to denial of service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple file processing triggers the vulnerability.

Exploitation requires the Firequalizer filter to be active, which is not enabled by default in most applications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FFmpeg commit a25462482c02c004d685a8fcf2fa63955aaa0931 and later

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-10256

Restart Required: Yes

Instructions:

1. Update FFmpeg to latest version from official repository. 2. Rebuild any applications using FFmpeg libraries. 3. Restart affected services.

🔧 Temporary Workarounds

Disable Firequalizer Filter

all

Prevent use of the vulnerable filter in FFmpeg processing pipelines.

ffmpeg -i input.mp4 -af "firequalizer=enable=0" output.mp4

Input Validation

all

Implement strict input validation for media files before processing.

🧯 If You Can't Patch

Disable Firequalizer filter in all media processing workflows
Implement application sandboxing to limit impact of crashes

🔍 How to Verify

Check if Vulnerable:

Check FFmpeg version and verify if built before commit a25462482c02c004d685a8fcf2fa63955aaa0931

Check Version:

ffmpeg -version | grep 'version'

Verify Fix Applied:

Verify FFmpeg version includes commit a25462482c02c004d685a8fcf2fa63955aaa0931 or later

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation fault when processing media
NULL pointer dereference errors in application logs

Network Indicators:

Unusual media file uploads to processing services

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "NULL pointer" OR "SIGSEGV") AND process="ffmpeg"

📊 Metadata

CVE ID: CVE-2025-10256

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-476

Published: February 18, 2026

Last Updated: February 26, 2026

🔗 References

https://access.redhat.com/security/cve/CVE-2025-10256 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2394495 Third Party Advisory
https://github.com/FFmpeg/FFmpeg/commit/a25462482c02c004d685a8fcf2fa63955aaa0931 Patch
https://github.com/FFmpeg/FFmpeg/commit/d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10256, you might also want to check these: