Bug 2346412 (CVE-2025-25468)

Summary: CVE-2025-25468 ffmpeg: Memory Leak in FFmpeg libavutil/mem.c
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in FFmpeg. This vulnerability allows an attacker to exhaust memory resources, which can lead to a denial of service via improper memory management.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2346560, 2346562, 2346563, 2346561, 2346564, 2346565, 2346566, 2346567    
Bug Blocks:    

Description OSIDB Bzimport 2025-02-18 23:01:40 UTC 
FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c.
Comment 2 Dominik 'Rathann' Mierzejewski 2025-03-08 00:49:05 UTC 
https://access.redhat.com/security/cve/CVE-2025-25468 links to https://trac.ffmpeg.org/ticket/11415, but that is closed as invalid. Commit log for d5873b says:

avformat/iamf_parse: add missing av_free() call on failure path
    
    Fixes ticket #11416

I'm going to assume this is about #11416.
Comment 3 Dominik 'Rathann' Mierzejewski 2025-03-08 00:53:55 UTC 
Fixed in FFmpeg 7.1.1 (04fd3f69b3c3b608ca2654e3688dae7adc3adc8d).
6.1.2 and earlier are not affected as IAMF support was added in 7.0.