Use-after-free in ffmpeg (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-1999013 |
| CWE-ID | CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ffmpeg (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Use-after-free
EUVDB-ID: #VU32008
Risk: Medium
CVSSv3.1: 5.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1999013
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing specially crafted RM file has to be provided as input. This vulnerability appears to have been fixed in a7e032a277452366771951e29fd0bf2bd5c029f0 and later. A attacker to read heap memory. This attack appear can be exploitable.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsffmpeg (Alpine package): 4.1.3-r1
CPE2.3 External linkshttp://git.alpinelinux.org/aports/commit/?id=d8d38dabc6e30c901eb6bd6627d8337849d7c041
http://git.alpinelinux.org/aports/commit/?id=cf78a820406ae4481e937bc2fba252ff79c89a09
http://git.alpinelinux.org/aports/commit/?id=859fd99d06049c009c8b745626511cd681061a99
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
