Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <69de15be.050a0220.71566.d544@mx.google.com>
Date: Tue, 14 Apr 2026 03:23:58 -0700 (PDT)
From: yangjincheng1998@...il.com
To: oss-security@...ts.openwall.com
Subject: [disclosure] Multiple unpatched CVEs in libav (unmaintained FFmpeg fork, last update 2019)

libav is a fork of FFmpeg that has not received any commits since April 2019 (https://github.com/libav/libav). Despite being unmaintained, it continues to be used as a dependency in some projects. It contains multiple security vulnerabilities that were discovered and fixed in FFmpeg after the fork diverged but will never be patched in libav.

This post documents the confirmed unpatched CVEs as a public record and to warn users still depending on libav.

== Affected Software ==

  Project : libav/libav
  URL     : https://github.com/libav/libav
  Status  : Unmaintained since April 2019 (FFmpeg fork)
  Fix     : None expected. Migrate to FFmpeg.

== CVE-2024-31578 — Use-After-Free in HEVC Decoder ==

  Type    : Use-After-Free (CWE-416)
  Location: libavcodec/hevcdec.c — set_sps() / hls_slice_header()
  Impact  : Memory corruption via crafted HEVC stream

  When processing HEVC streams with mid-stream SPS (Sequence Parameter Set)
  changes, set_sps() may free reference frame data that is subsequently
  accessed by hls_slice_header(), leading to use-after-free. Confirmed
  present in libav's hevcdec.c via Docker build and code inspection.

== CVE-2024-22862 — Integer Overflow in Media Demuxer ==

  Type    : Integer Overflow (CWE-190)
  Location: Media parsing / MOV/MP4 demuxer code
  Impact  : Potential heap corruption via crafted media file

  libav contains the integer overflow vulnerability present in FFmpeg before
  the upstream fix. The vulnerable code path was confirmed via Docker build.

== CVE-2024-31585 — Off-by-One Error in MXF Demuxer ==

  Type    : Off-by-One Error (CWE-193)
  Location: libavformat/mxfdec.c
  Impact  : Heap corruption via crafted MXF file

  The MXF demuxer off-by-one error inherited from FFmpeg is present in
  libav's mxfdec.c. Confirmed via Docker build.

== CVE-2025-22919 — Reachable Assertions in AAC Decoder ==

  Type    : Reachable Assertion / Abort (CWE-617)
  Location: libavcodec/aaccoder.c:509, libavcodec/aacpsy.c:490,492,823
  Impact  : Crash (DoS) via crafted AAC audio

  Docker build confirmed multiple bare assert() calls in the AAC decoder
  that can be triggered by crafted input:

    libavcodec/aaccoder.c:509  assert(idx >= 0);
    libavcodec/aacpsy.c:490    assert(bit_save <= 0.3f && ...);
    libavcodec/aacpsy.c:492    assert(bit_spend <= 0.5f && ...);
    libavcodec/aacpsy.c:823    assert(pch->prev_energy_subshort[...] > 0);

  Unlike upstream FFmpeg which uses av_assert (controlled by build flags),
  these are bare assert() calls that fire in standard release builds.

== Recommendation ==

  Users depending on libav should migrate to FFmpeg, which receives active
  security maintenance and has patches for all of the above CVEs.

  libav GitHub Issues are disabled and no security contact is available.
  This post serves as the public disclosure record.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.