CVE-2025-63757

NameCVE-2025-63757
DescriptionInteger overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6073-1, DSA-6079-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ffmpeg (PTS)bullseye7:4.3.7-0+deb11u1vulnerable
bullseye (security)7:4.3.9-0+deb11u1vulnerable
bookworm7:5.1.7-0+deb12u1vulnerable
bookworm (security)7:5.1.8-0+deb12u1fixed
trixie7:7.1.2-0+deb13u1vulnerable
trixie (security)7:7.1.3-0+deb13u1fixed
forky, sid7:8.0.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ffmpegsourcebookworm7:5.1.8-0+deb12u1DSA-6079-1
ffmpegsourcetrixie7:7.1.3-0+deb13u1DSA-6073-1
ffmpegsource(unstable)7:7.1.3-1

Notes

https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20698
https://code.ffmpeg.org/FFmpeg/FFmpeg/0c6b7f9483a38657c9be824572b4c0c45d4d9fef (master)
https://code.ffmpeg.org/FFmpeg/FFmpeg/716cf25eb8616e8e068a7c2a5d23ae107bd117b4 (n8.0.1)
https://code.ffmpeg.org/FFmpeg/FFmpeg/19877054e340e2babb7ef0d00e81c12bfeb19391 (n7.1.3)
https://code.ffmpeg.org/FFmpeg/FFmpeg/ac4caa33bae5841649c61d4f8a0608dfa59c4fa1 (n5.1.8)
Search for package or bug name: Reporting problems