In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ffhtmlmarkupto_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "18.04"
},
{
"last_affected": "18.04"
},
{
"introduced": "18.10"
},
{
"last_affected": "18.10"
},
{
"introduced": "19.04"
},
{
"last_affected": "19.04"
}
],
"source": "CPE_STRING",
"vendor_product": "canonical:ubuntu_linux"
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
}
],
"source": "CPE_STRING",
"vendor_product": "debian:debian_linux"
}
]
}{
"extracted_events": [
{
"introduced": "3.2"
},
{
"last_affected": "3.2"
},
{
"introduced": "4.1"
},
{
"last_affected": "4.1"
}
],
"cpe": [
"cpe:2.3:a:ffmpeg:ffmpeg:3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ffmpeg:ffmpeg:4.1:*:*:*:*:*:*:*"
],
"source": [
"CPE_STRING",
"REFERENCES"
]
}{
"extracted_events": [
{
"introduced": "3.2"
},
{
"last_affected": "3.2"
},
{
"introduced": "4.1"
},
{
"last_affected": "4.1"
}
],
"cpe": [
"cpe:2.3:a:ffmpeg:ffmpeg:3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ffmpeg:ffmpeg:4.1:*:*:*:*:*:*:*"
],
"source": [
"CPE_STRING",
"REFERENCES"
]
}"2026-07-08T16:08:43Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9718.json"
[
{
"signature_type": "Function",
"target": {
"file": "libavcodec/htmlsubtitles.c",
"function": "ff_htmlmarkup_to_ass"
},
"deprecated": false,
"digest": {
"length": 3632.0,
"function_hash": "134429341697870814247987316111924007456"
},
"id": "CVE-2019-9718-755ab778",
"source": "https://github.com/ffmpeg/ffmpeg/commit/23ccf3cabb4baf6e8af4b1af3fcc59c904736f21",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "libavcodec/htmlsubtitles.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"146229409084369695006291932218330531278",
"186871920662715219977446106701134555870",
"310562769026243982809424482522257025845",
"34344457376983665913898773828430549216",
"260166848363255873671710857472511837215",
"80024346695892532889397988976103392180",
"202968329324838149850240999019982554458"
],
"threshold": 0.9
},
"id": "CVE-2019-9718-da1a4911",
"source": "https://github.com/ffmpeg/ffmpeg/commit/23ccf3cabb4baf6e8af4b1af3fcc59c904736f21",
"signature_version": "v1"
}
]