CVE-2025-1594
Published: 23 February 2025
Description
A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Security Summary
CVE-2025-1594 is a stack-based buffer overflow vulnerability classified as critical in FFmpeg versions up to 7.1. It affects the ff_aac_search_for_tns function in the libavcodec/aacenc_tns.c file of the AAC Encoder component. The issue, linked to CWEs-119, CWE-121, and CWE-787, was published on 2025-02-23.
The vulnerability enables remote exploitation through manipulated input, requiring network access, low complexity, no privileges, and user interaction per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). Attackers can achieve limited impacts on confidentiality, integrity, and availability. A proof-of-concept exploit has been publicly disclosed and may be used.
References include FFmpeg's official site, a POC attachment and comment on trac.ffmpeg.org/ticket/11418, and VulDB entries at vuldb.com/?ctiid.296589 and vuldb.com/?id.296589, which detail the vulnerability.
Details
- CWE(s)