CVE-2024-35365

CVE-2024-35365 is a double-free vulnerability (CWE-415) in FFmpeg version n6.1.1, located in the fftools/ffmpeg_mux_init.c component, specifically within the new_stream_audio function. This flaw affects the FFmpeg multimedia framework, which is widely used for handling audio and video processing in various applications and tools. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Remote attackers can exploit this vulnerability by tricking users into processing a specially crafted media file using the affected FFmpeg version, as it requires user interaction such as running the ffmpeg tool on malicious input. No privileges are needed, and the low attack complexity makes it accessible over the network. Successful exploitation of the double-free could result in high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or denial of service.

FFmpeg has addressed the issue via a patch in commit ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5, available on the project's GitHub repository. Security practitioners should update to versions incorporating this fix and review the source code at fftools/ffmpeg_mux_init.c#L886 for details. Additional technical analysis is provided in the referenced GitHub gist.