CVE-2024-36615
- Source
- https://cve.org/CVERecord?id=CVE-2024-36615
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36615.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-36615
- Downstream
- Published
- 2024-11-29T19:15:07.703Z
- Modified
- 2025-12-05T10:11:58.457773Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
- References
Affected packages
Git / git.ffmpeg.org/ffmpeg.git
Git / github.com/ffmpeg/ffmpeg
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ffmpeg/ffmpeg
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
n3.4-dev
n3.5-dev
n4.*
n4.1-dev
n4.2-dev
n4.3-dev
n4.4-dev
n4.5-dev
n5.*
n5.1-dev
n5.2-dev
n6.*
n6.1-dev
n6.2-dev
n7.*
n7.1-dev
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36615.json"
vanir_signatures
[
{
"digest": {
"line_hashes": [
"335372490738671505369724182254531041358",
"127935918616120087823486240640612650771",
"142323770510189586889619665783444845507",
"45284856373428535342396139929615234043",
"142229536224802899673542715021971453843",
"175174521360538139367317829246283952766",
"4472253933098053916888779846008430051",
"316734082837480305364479477828994035890",
"23466475118872071879769195409857382566",
"319439282671016077836651778039992486975",
"195227560335120158004437394736265210786",
"107043060073689191139734471039878542009",
"43512771917042668951682315554863543537",
"80400429131705607110080330649464797297",
"133461771431000468769775978014958969048",
"220889737768823718366930779482888751041",
"16699427622736519744943646276138935950",
"70536755975377561454931613614243141973",
"225445499080665327927535202886746257142",
"106405627162966505925675949535580262338",
"136871351956682855118878614421738178294",
"72332549859910042828467466376498584432",
"194425828275613009927530676027193037548",
"292181177555336973886015917697509749619",
"214458693370656173405146946334051101860",
"7866441006196485450554987271389423764",
"336827735829244440589123590071041938217",
"18644247126023547669098045349579719722",
"232666750874083941178246185749465165937"
],
"threshold": 0.9
},
"id": "CVE-2024-36615-711d8270",
"signature_type": "Line",
"source": "https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61",
"target": {
"file": "libavcodec/vp9.c"
},
"deprecated": false,
"signature_version": "v1"
},
{
"digest": {
"function_hash": "250631083245688050283878552280104948723",
"length": 7208.0
},
"id": "CVE-2024-36615-db7c6038",
"signature_type": "Function",
"source": "https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61",
"target": {
"function": "vp9_decode_frame",
"file": "libavcodec/vp9.c"
},
"deprecated": false,
"signature_version": "v1"
}
]