CVE-2025-69693

Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/FFmpeg/FFmpeg/commit/8abeb879df66ea8d27ce1735925ced5a30813de4	Patch
https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0	Product Release Notes
https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0.1	Product Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ffmpeg:ffmpeg:8.0:::::::*
	cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:::::::*

History

No history.

Information

Published : 2026-03-16 20:16

Updated : 2026-03-19 14:19

NVD link : CVE-2025-69693

Mitre link : CVE-2025-69693

CVE.ORG link : CVE-2025-69693

JSON object : View

Products Affected

ffmpeg

ffmpeg

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2025-69693", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-16T20:16:15.060", "references": [{"url": "https://github.com/FFmpeg/FFmpeg/commit/8abeb879df66ea8d27ce1735925ced5a30813de4", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0", "tags": ["Product", "Release Notes"], "source": "cve@mitre.org"}, {"url": "https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0.1", "tags": ["Product", "Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1."}, {"lang": "es", "value": "Lectura fuera de l\u00edmites en el decodificador de video RV60 de FFmpeg 8.0 y 8.0.1 (libavcodec/rv60dec.c). La validaci\u00f3n del par\u00e1metro de cuantificaci\u00f3n (qp) en la l\u00ednea 2267 solo verifica el l\u00edmite inferior (qp < 0) pero carece de validaci\u00f3n del l\u00edmite superior. El valor de qp puede alcanzar 65 (valor base 63 del encabezado de trama de 6 bits + desplazamiento +2 de read_qp_offset) mientras que el array rv60_qp_to_idx tiene un tama\u00f1o de 64 (\u00edndices v\u00e1lidos 0-63). Esto resulta en acceso a array fuera de l\u00edmites en las l\u00edneas 1554 (decode_cbp8), 1655 (decode_cbp16) y 1419/1421 (get_c4x4_set), lo que podr\u00eda llevar a la divulgaci\u00f3n de memoria o a un fallo. Una correcci\u00f3n anterior en el commit 61cbcaf93f a\u00f1adi\u00f3 validaci\u00f3n solo para fotogramas intra. Esta vulnerabilidad afecta a las versiones publicadas 8.0 (publicada el 22-08-2025) y 8.0.1 (publicada el 20-11-2025) y est\u00e1 corregida en el commit maestro de git 8abeb879df que se incluir\u00e1 en FFmpeg 8.1."}], "lastModified": "2026-03-19T14:19:12.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3BC8327-6529-4B32-B7AF-FCAB3BDF8B42"}, {"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F5CACA2-6FB6-4D6D-92D0-C9FF0E7CDB14"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}