CVE-2025-69693

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-69693
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69693.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-69693
Downstream
Related
Published
2026-03-16T20:16:15.060Z
Modified
2026-04-12T22:13:20.878476Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVSS Calculator
Summary
[none]
Details

Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from readqpoffset) while the rv60qptoidx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decodecbp8), 1655 (decodecbp16), and 1419/1421 (getc4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.

References

Affected packages

Git / github.com/ffmpeg/ffmpeg

Affected ranges

Type
GIT
Repo
https://github.com/ffmpeg/ffmpeg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
140fd653aed8cad774f991ba083e2d01e86420c7
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
894da5ca7d742e4429ffb2af534fcda0103ef593
Fixed
8abeb879df66ea8d27ce1735925ced5a30813de4
Fixed
140fd653aed8cad774f991ba083e2d01e86420c7
Fixed
894da5ca7d742e4429ffb2af534fcda0103ef593
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0.1"
        }
    ]
}

Affected versions

Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
n3.4-dev
n3.5-dev
n4.*
n4.1-dev
n4.2-dev
n4.3-dev
n4.4-dev
n4.5-dev
n5.*
n5.1-dev
n5.2-dev
n6.*
n6.1-dev
n6.2-dev
n7.*
n7.1-dev
n7.2-dev
n8.*
n8.0
n8.0.1
n8.1-dev

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69693.json"
vanir_signatures 
[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "319463804543022455350418291694441221203",
                "206599895259314049524466846104299423289",
                "67416186472072696860819440033718424028",
                "39666074499866467720094676373759987945"
            ]
        },
        "id": "CVE-2025-69693-023bf0f9",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/8abeb879df66ea8d27ce1735925ced5a30813de4",
        "target": {
            "file": "libavcodec/rv60dec.c"
        }
    },
    {
        "digest": {
            "length": 1468.0,
            "function_hash": "36823098393715162071325716314691607851"
        },
        "id": "CVE-2025-69693-66ff9203",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/ffmpeg/ffmpeg/commit/8abeb879df66ea8d27ce1735925ced5a30813de4",
        "target": {
            "function": "decode_slice",
            "file": "libavcodec/rv60dec.c"
        }
    }
]
vanir_signatures_modified 
"2026-04-12T22:13:20Z"