CVE-2025-7700

Name	CVE-2025-7700
Description	NULL Pointer Dereference in FFmpeg ALS Decoder (libavcodec/alsdec.c)
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5985-1, DSA-6007-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ffmpeg (PTS)	bullseye	7:4.3.7-0+deb11u1	vulnerable
	bullseye (security)	7:4.3.9-0+deb11u1	vulnerable
	bookworm, bookworm (security)	7:5.1.7-0+deb12u1	fixed
	trixie	7:7.1.1-1	vulnerable
	trixie (security)	7:7.1.2-0+deb13u1	fixed
	forky, sid	7:7.1.2-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
ffmpeg	source	bookworm	7:5.1.7-0+deb12u1	DSA-5985-1
ffmpeg	source	trixie	7:7.1.2-0+deb13u1	DSA-6007-1
ffmpeg	source	(unstable)	7:7.1.2-1

Notes

[bullseye] - ffmpeg <postponed> (Minor issue, wait until it's fixed in the 4.3 branch)
Introduced with: https://git.ffmpeg.org/gitweb/ffmpeg.git/object/dcfd24b10c7eaec4b7b1ec2c4abb46808721a71d
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07 (n8.0)
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/e0c5acb3e343d1c91c0914a786ff59176d4066a2 (n7.1.2)
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e (n5.1.7)