CVE-2023-46407
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-46407
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46407.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-46407
- Downstream
- Related
- Published
- 2023-10-27T20:15:09Z
- Modified
- 2025-10-28T10:21:07.747207Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
FFmpeg prior to commit bf814 was discovered to contain an out of bounds read via the dist->alphabetsize variable in the readvlc_prefix() function.
- References
Affected packages
Git / git.ffmpeg.org/ffmpeg.git
Git / github.com/ffmpeg/ffmpeg
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ffmpeg/ffmpeg
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
n3.4-dev
n3.5-dev
n4.*
n4.1-dev
n4.2-dev
n4.3-dev
n4.4-dev
n4.5-dev
n5.*
n5.1-dev
n5.2-dev
n6.*
n6.1-dev
Database specific
vanir_signatures
[
{
"id": "CVE-2023-46407-87c7faee",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/ffmpeg/ffmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962",
"target": {
"file": "libavcodec/jpegxl_parser.c"
},
"digest": {
"line_hashes": [
"220105966798282059149030715726161075097",
"180266453498400246804549189909960284257",
"73148644264980185597476409712978687637",
"286365265477864894663546510757351403280",
"314825778526346358653735226755182398776",
"26188299848253069645477578457604842870",
"110198206348898803625418330821014898473",
"50174480327311949858501076809751562445",
"241231218723808208340456890550097955329",
"215507175544650923089399575093236194023",
"135068194385828229163406492702140006936",
"66105321909184906114181906357038537826",
"103298978993242040100671715024707989084",
"59867939728337908485496230187377173800",
"186153454835257189652159919942203871455",
"217904120362395215651209069424841598492",
"244350113364213515402405323863438481593",
"22739512687949424616341514537521894591",
"195062092206686434824385287088849634092",
"146162376980627030924901460276244417252",
"133920733564074082834441774627524333534",
"68149985661876096145212288079652518284",
"8794963223613958660785421004769206966",
"167517125330278610343926185623958502797",
"311850500435999907485961778227643536943",
"27638573581810548983839897062912772353",
"208639768320764247846338918768595314724",
"39809637958411109255979130445286273541",
"192094578223806588773817202505907616487",
"291864371857363825018194682428755554932",
"299426667417931789722350074207923473636",
"157004792883306756351436045336708693246",
"95673350118243145527808864108976933409",
"332141338909193022304396035094518584512"
],
"threshold": 0.9
}
},
{
"id": "CVE-2023-46407-b175de68",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/ffmpeg/ffmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962",
"target": {
"function": "read_vlc_prefix",
"file": "libavcodec/jpegxl_parser.c"
},
"digest": {
"function_hash": "253764707101986371767092635021744105843",
"length": 3074.0
}
}
]