CVE-2025-10256

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-10256
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-10256.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-10256
Downstream
Published
2026-02-18T21:16:20.183Z
Modified
2026-02-20T23:55:44.464460Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/affirequalizer.c) due to a missing check on the return value of avmallocarray() in the configinput() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.

References

Affected packages

Git / github.com/ffmpeg/ffmpeg

Affected ranges

Type
GIT
Repo
https://github.com/ffmpeg/ffmpeg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a25462482c02c004d685a8fcf2fa63955aaa0931
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a

Affected versions

Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
n3.4-dev
n3.5-dev
n4.*
n4.1-dev
n4.2-dev
n4.3-dev
n4.4-dev
n4.5-dev
n5.*
n5.1-dev
n5.2-dev
n6.*
n6.1-dev
n6.2-dev
n7.*
n7.1-dev
n7.2-dev

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-10256.json"
vanir_signatures 
[
    {
        "id": "CVE-2025-10256-3a6de560",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/a25462482c02c004d685a8fcf2fa63955aaa0931",
        "target": {
            "file": "libavfilter/af_firequalizer.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "321493839816606158343116090748206934806",
                "53892305200721695265977167624069007520",
                "177092034546534496997370879752450612345",
                "88557680400326488441787993508277071310"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "id": "CVE-2025-10256-499f3814",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a",
        "target": {
            "file": "libavfilter/af_firequalizer.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "7472342735082716269560441849727769734",
                "135321487881138967006635870372108672142",
                "134876090229957557097695008114552855765",
                "106382568618050649144325715143028418811",
                "95472904777756862226326501873478723286",
                "298164946693477377063191421360452875517",
                "96830188084077956680597248878312267644",
                "260821470838782200451696922973040312065",
                "149465788671006239042986234518444994485",
                "40014534988451276805294430772004818137",
                "278760290075656454710747738090634149947",
                "160288945805560425660483150858524453879",
                "227037004763514610825869140000126551972",
                "22987622735800808157230179479062341541",
                "20935820073253885433328159347567268416",
                "161331787526273557889503515437071229570",
                "201155850371282037768435590856324194934",
                "28387888578788311188788779899448630721",
                "212473534823550178378582643442524375199",
                "135421083936388913066553791578563363567",
                "62641917319487325290615132540525399601",
                "168044390748923034616800362990238032157",
                "18279826271485462827172655936175283736",
                "16821038939396371235885207882510326538",
                "120965023889671247059070065694079422374",
                "219862840320491712567990008731756518547",
                "137377951834033214650086198073354921107",
                "109875817672090638368856515272243447753",
                "209184637022214828390803405798649021991",
                "323355450404909411097795842439425603916",
                "17027734109415723313874907707941806242",
                "334795870029527512788223328660515351906",
                "335440355708293183300109128996860260981",
                "1755672224333048623223235834110048509",
                "131524492012669970877073718713005722903",
                "152841530415449171335770404457690220474",
                "129314887594461953498608735885587353199",
                "297684380490001156243410773957767281276",
                "121037560254763608937128684200600139349",
                "79511834185202990844218783508504952448",
                "228476203166681824898202794069551804785",
                "18338439655647889719978549072904001726",
                "327720792426496914412002549117581457284",
                "317782488938827104488063993212594606124",
                "281296282407622119692386291088380873691",
                "334767266300246340154427569975788583991",
                "86007200440211777613032983904332854552",
                "195622152862229020041761561659138164963",
                "327975247347757222113128043445576148090",
                "303185323217350030856487792123943942611",
                "85409547352817347760656680070904991300",
                "167726031886410649459810901508160545480",
                "311889344696058813691896555245645277525",
                "34683086143321234456489681211366113907",
                "10887926635986873615557268574521608552",
                "169397116518283897140100658025162468197",
                "87132979961999284925936406964970368947",
                "187563622241815059633822742530468129503",
                "86791968380227397462266366726673951609",
                "105441577328276884552711615687462337394",
                "17957916496297986470983243318266480948",
                "208153756896907764723225947410960608262",
                "102266955470301313121503573608611208862",
                "114207913965480419035310925579260407159",
                "149876708608561537892276525083239019701",
                "319863686833667729074340629669882460316",
                "294436279575178321823793386992567914762",
                "320227841044216278164151390119152788832",
                "329187425302508307159037982335431601801",
                "246210761590934532500953472667391487042",
                "264268459355112149346157725653993525403"
            ]
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "id": "CVE-2025-10256-9f4ae285",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a",
        "target": {
            "file": "libavfilter/af_firequalizer.c",
            "function": "generate_kernel"
        },
        "digest": {
            "function_hash": "58546301473373030025829541237072001771",
            "length": 4691.0
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "id": "CVE-2025-10256-ce66a121",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a",
        "target": {
            "file": "libavfilter/af_firequalizer.c",
            "function": "common_uninit"
        },
        "digest": {
            "function_hash": "286545199342614272839824423949683923603",
            "length": 394.0
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "id": "CVE-2025-10256-e04ef09a",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/a25462482c02c004d685a8fcf2fa63955aaa0931",
        "target": {
            "file": "libavfilter/af_firequalizer.c",
            "function": "config_input"
        },
        "digest": {
            "function_hash": "8724192776272083934694931559681064559",
            "length": 4412.0
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "id": "CVE-2025-10256-e9c8f70a",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a",
        "target": {
            "file": "libavfilter/af_firequalizer.c",
            "function": "config_input"
        },
        "digest": {
            "function_hash": "25699025905739008154839902555636973179",
            "length": 2347.0
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    }
]