A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handleopenbrace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "18.04"
},
{
"last_affected": "18.04"
},
{
"introduced": "18.10"
},
{
"last_affected": "18.10"
},
{
"introduced": "19.04"
},
{
"last_affected": "19.04"
}
],
"source": "CPE_STRING",
"vendor_product": "canonical:ubuntu_linux"
}
]
}{
"extracted_events": [
{
"introduced": "3.2"
},
{
"last_affected": "3.2"
},
{
"introduced": "4.1"
},
{
"last_affected": "4.1"
}
],
"cpe": [
"cpe:2.3:a:ffmpeg:ffmpeg:3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ffmpeg:ffmpeg:4.1:*:*:*:*:*:*:*"
],
"source": [
"CPE_STRING",
"REFERENCES"
]
}{
"extracted_events": [
{
"introduced": "3.2"
},
{
"last_affected": "3.2"
},
{
"introduced": "4.1"
},
{
"last_affected": "4.1"
}
],
"cpe": [
"cpe:2.3:a:ffmpeg:ffmpeg:3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:ffmpeg:ffmpeg:4.1:*:*:*:*:*:*:*"
],
"source": [
"CPE_STRING",
"REFERENCES"
]
}"2026-07-08T16:08:45Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9721.json"
[
{
"signature_type": "Function",
"target": {
"file": "libavcodec/htmlsubtitles.c",
"function": "ff_htmlmarkup_to_ass"
},
"deprecated": false,
"digest": {
"length": 3610.0,
"function_hash": "51195086334001458191859035190219042570"
},
"id": "CVE-2019-9721-1e4b4ede",
"source": "https://github.com/ffmpeg/ffmpeg/commit/273f2755ce8635d42da3cde0eeba15b2e7842774",
"signature_version": "v1"
},
{
"signature_type": "Line",
"target": {
"file": "libavcodec/htmlsubtitles.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"181052376676104601782979859616773957010",
"114335331683057061847747733341231002884",
"52182576610393413327815494532710655027",
"151988408299784471571915177291850664201",
"143530476180291881434987183528048468203",
"20671168889515778463202263099394878314",
"117734745311139794259276495167403311113",
"247691314197916473622205852293270336349",
"91970035849042864838408869607449612939",
"298548214798456625181670453837162301144",
"51594798183235078235674705393957355135",
"244888744203267073148994254791264550488"
],
"threshold": 0.9
},
"id": "CVE-2019-9721-efb6ae89",
"source": "https://github.com/ffmpeg/ffmpeg/commit/273f2755ce8635d42da3cde0eeba15b2e7842774",
"signature_version": "v1"
}
]