CVE-2018-1999010

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-1999010
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1999010.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-1999010
Downstream
Related
Published
2018-07-23T15:29:00Z
Modified
2025-10-15T09:31:01.028960Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in cced03dd667a5df6df8fd40d8de0bff477ee02e8 and later.

References

Affected packages

Git / git.ffmpeg.org/ffmpeg.git

Affected ranges

Type
GIT
Repo
https://git.ffmpeg.org/ffmpeg.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
89355585366b16238244decae40fbe0cc7ae3e40
Type
GIT
Repo
https://github.com/ffmpeg/ffmpeg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cced03dd667a5df6df8fd40d8de0bff477ee02e8

Affected versions

Other

N

n0.*

n0.11-dev
n0.12-dev
n0.8

n1.*

n1.1-dev
n1.2-dev
n1.3-dev

n2.*

n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev

n3.*

n3.1-dev
n3.2-dev
n3.3-dev
n3.4
n3.4-dev
n3.4.1
n3.4.2
n3.5-dev

n4.*

n4.1-dev

Database specific 

{
    "vanir_signatures": [
        {
            "source": "https://github.com/ffmpeg/ffmpeg/commit/cced03dd667a5df6df8fd40d8de0bff477ee02e8",
            "signature_type": "Line",
            "target": {
                "file": "libavformat/mms.c"
            },
            "id": "CVE-2018-1999010-652843dd",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "78202195712770235845065918008995714155",
                    "25754445282885046612092702458519684185",
                    "277023884937850835968330685448119124084",
                    "278019681951011323163437926332972927971",
                    "250647003674814466267960988228712149874",
                    "10814176852304190284463812927232303010",
                    "189833846312113163077900897036612244375",
                    "19635734148578544078999212882141600268",
                    "335001464036977556978172061875076137859",
                    "83089085845436435126876043989897867700",
                    "289597708622081956339038641287220750052",
                    "58087555352726034300245463660698804744",
                    "238178062944026379763027691125163598947",
                    "222188485564963357637829767566231347864",
                    "213228672373721048432388768205835982387",
                    "327139887196078928637424783087343747395",
                    "235445644620037478916316203513574216654",
                    "49274175430772575505439545061306277492",
                    "133972656849788101831967806197120893869",
                    "173019152454466486649455865797028269205",
                    "230702447792541292929342687107060858423",
                    "134120086518410833275263912502801714221"
                ]
            },
            "deprecated": false,
            "signature_version": "v1"
        },
        {
            "source": "https://github.com/ffmpeg/ffmpeg/commit/cced03dd667a5df6df8fd40d8de0bff477ee02e8",
            "signature_type": "Function",
            "target": {
                "file": "libavformat/mms.c",
                "function": "ff_mms_asf_header_parser"
            },
            "id": "CVE-2018-1999010-77877fcc",
            "digest": {
                "function_hash": "149159414930309841586555126726355166271",
                "length": 2951.0
            },
            "deprecated": false,
            "signature_version": "v1"
        }
    ]
}