CVE-2025-10256

A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/affirequalizer.c) due to a missing check on the return value of avmallocarray() in the configinput() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.

Database specific

{
    "cna_assigner": "fedora",
    "cwe_ids": [
        "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/10xxx/CVE-2025-10256.json"
}

References

Affected packages

Git / git.ffmpeg.org/ffmpeg.git

Affected ranges

Type

GIT

Repo

https://git.ffmpeg.org/ffmpeg.git

Events

Introduced

340cea9f22c162e10d120835661e132721b7454b

Fixed

140fd653aed8cad774f991ba083e2d01e86420c7

Database specific

{
    "cpe": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "3.2"
        },
        {
            "fixed": "8.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/ffmpeg/ffmpeg

Events

Introduced

340cea9f22c162e10d120835661e132721b7454b

Fixed

140fd653aed8cad774f991ba083e2d01e86420c7

Fixed

a25462482c02c004d685a8fcf2fa63955aaa0931

Fixed

d3be186ed1bcdcf2c093d6b13a0e66dc5132be2a

Database specific

{
    "cpe": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "3.2"
        },
        {
            "fixed": "8.0"
        }
    ]
}

Affected versions

n3.*

n3.2-dev

n3.3-dev

n3.4-dev

n3.5-dev

n4.*

n4.1-dev

n4.2-dev

n4.3-dev

n4.4-dev

n4.5-dev

n5.*

n5.1-dev

n5.2-dev

n6.*

n6.1-dev

n6.2-dev

n7.*

n7.1-dev

n7.2-dev

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-10256.json"