CVE-2026-30997

NameCVE-2026-30997
DescriptionAn out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6276-1, DSA-6361-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ffmpeg (PTS)bullseye7:4.3.7-0+deb11u1vulnerable
bullseye (security)7:4.3.9-0+deb11u2vulnerable
bookworm7:5.1.8-0+deb12u1vulnerable
bookworm (security)7:5.1.9-0+deb12u1fixed
trixie7:7.1.3-0+deb13u1vulnerable
trixie (security)7:7.1.5-0+deb13u1fixed
forky, sid7:8.1.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ffmpegsourcebookworm7:5.1.9-0+deb12u1DSA-6276-1
ffmpegsourcetrixie7:7.1.5-0+deb13u1DSA-6361-1
ffmpegsource(unstable)7:8.1.1-1

Notes

[bullseye] - ffmpeg <postponed> (Minor issue)
https://excellent-oatmeal-319.notion.site/CVE-2026-30997-Out-of-Bounds-Access-a7929817b9794568b2f7774397c7d65f
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1a2c16fe514b60e1860829c42ce199de77a007e5
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/6266867e7bc4106dd3f77d6d702a0499fb3254db (n8.1.1)
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3c4ca300f469d657051c8584515870fe9c36aaa3 (n8.0.2)
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9abe92e3af7fa7becc8f7f742b1457b4c28220a6 (n7.1.4)
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/74c75e9ceacd99d20c09d09fec73c1b15ffd6172 (n5.1.9)

Search for package or bug name: Reporting problems