DEBIAN-CVE-2026-40962

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-40962
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40962.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-40962
Upstream
  • CVE-2026-40962
Published
2026-04-16T22:03:00.069606Z
Modified
2026-04-16T22:03:00.069606Z
Summary
[none]
Details

FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

References

Affected packages

Debian:11 / ffmpeg

Package

Name
ffmpeg
Purl
pkg:deb/debian/ffmpeg?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7:4.*
7:4.3.2-0+deb11u2
7:4.3.2-1
7:4.3.2-2
7:4.3.3-0+deb11u1
7:4.3.4-0+deb11u1
7:4.3.5-0+deb11u1
7:4.3.6-0+deb11u1
7:4.3.7-0+deb11u1
7:4.3.8-0+deb11u1
7:4.3.8-0+deb11u2
7:4.3.8-0+deb11u3
7:4.3.9-0+deb11u1
7:4.3.9-0+deb11u2
7:4.4-1
7:4.4-2
7:4.4-3
7:4.4-4
7:4.4-5
7:4.4-6
7:4.4.1-1
7:4.4.1-2
7:4.4.1-2+ports
7:4.4.1-3
7:4.4.2-1
7:5.*
7:5.0-1
7:5.0-2
7:5.0-3
7:5.0.1-1
7:5.0.1-2
7:5.0.1-3
7:5.1-1
7:5.1-2
7:5.1-2.1
7:5.1-3
7:5.1.1-1
7:5.1.1-2
7:5.1.1-2+m68k
7:5.1.2-1
7:5.1.2-2
7:5.1.2-3
7:5.1.3-1
7:5.1.3-2
7:6.*
7:6.0-1
7:6.0-2
7:6.0-3
7:6.0-4
7:6.0-5
7:6.0-6
7:6.0-7
7:6.0-8
7:6.0-9
7:6.1-1
7:6.1-2
7:6.1-3
7:6.1-4
7:6.1-5
7:6.1.1-1
7:6.1.1-2
7:6.1.1-3
7:6.1.1-4
7:6.1.1-5
7:7.*
7:7.0-1
7:7.0.1-1
7:7.0.1-2
7:7.0.1-3
7:7.0.1-4
7:7.0.1-5
7:7.0.2-1
7:7.0.2-2
7:7.0.2-3
7:7.1-1
7:7.1-2
7:7.1-3
7:7.1-4
7:7.1.1-1
7:7.1.2-1
7:7.1.3-1
7:8.*
7:8.0-1
7:8.0-2
7:8.0.1-1
7:8.0.1-2
7:8.0.1-3
7:8.1-1
7:8.1-2
7:8.1-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40962.json"

Debian:12 / ffmpeg

Package

Name
ffmpeg
Purl
pkg:deb/debian/ffmpeg?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7:5.*
7:5.1.3-1
7:5.1.3-2
7:5.1.4-0+deb12u1
7:5.1.5-0+deb12u1
7:5.1.6-0+deb12u1
7:5.1.7-0+deb12u1
7:5.1.8-0+deb12u1
7:6.*
7:6.0-1
7:6.0-2
7:6.0-3
7:6.0-4
7:6.0-5
7:6.0-6
7:6.0-7
7:6.0-8
7:6.0-9
7:6.1-1
7:6.1-2
7:6.1-3
7:6.1-4
7:6.1-5
7:6.1.1-1
7:6.1.1-2
7:6.1.1-3
7:6.1.1-4
7:6.1.1-5
7:7.*
7:7.0-1
7:7.0.1-1
7:7.0.1-2
7:7.0.1-3
7:7.0.1-4
7:7.0.1-5
7:7.0.2-1
7:7.0.2-2
7:7.0.2-3
7:7.1-1
7:7.1-2
7:7.1-3
7:7.1-4
7:7.1.1-1
7:7.1.2-1
7:7.1.3-1
7:8.*
7:8.0-1
7:8.0-2
7:8.0.1-1
7:8.0.1-2
7:8.0.1-3
7:8.1-1
7:8.1-2
7:8.1-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40962.json"

Debian:13 / ffmpeg

Package

Name
ffmpeg
Purl
pkg:deb/debian/ffmpeg?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7:7.*
7:7.1.1-1
7:7.1.2-0+deb13u1
7:7.1.2-1
7:7.1.3-0+deb13u1
7:7.1.3-1
7:8.*
7:8.0-1
7:8.0-2
7:8.0.1-1
7:8.0.1-2
7:8.0.1-3
7:8.1-1
7:8.1-2
7:8.1-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40962.json"

Debian:14 / ffmpeg

Package

Name
ffmpeg
Purl
pkg:deb/debian/ffmpeg?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7:8.1-1

Affected versions

7:7.*
7:7.1.1-1
7:7.1.2-1
7:7.1.3-1
7:8.*
7:8.0-1
7:8.0-2
7:8.0.1-1
7:8.0.1-2
7:8.0.1-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40962.json"