2346412 – (CVE-2025-25468) CVE-2025-25468 ffmpeg: Memory Leak in FFmpeg libavutil/mem.c

Bug 2346412 (CVE-2025-25468) - CVE-2025-25468 ffmpeg: Memory Leak in FFmpeg libavutil/mem.c

Summary: CVE-2025-25468 ffmpeg: Memory Leak in FFmpeg libavutil/mem.c

Keywords:
Status:	NEW
Alias:	CVE-2025-25468
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2346560 2346562 2346563 2346561 2346564 2346565 2346566 2346567
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-18 23:01 UTC by OSIDB Bzimport
Modified:	2025-03-08 00:53 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-02-18 23:01:40 UTC

FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c.

Comment 2 Dominik 'Rathann' Mierzejewski 2025-03-08 00:49:05 UTC

https://access.redhat.com/security/cve/CVE-2025-25468 links to https://trac.ffmpeg.org/ticket/11415, but that is closed as invalid. Commit log for d5873b says:

avformat/iamf_parse: add missing av_free() call on failure path
    
    Fixes ticket #11416

I'm going to assume this is about #11416.

Comment 3 Dominik 'Rathann' Mierzejewski 2025-03-08 00:53:55 UTC

Fixed in FFmpeg 7.1.1 (04fd3f69b3c3b608ca2654e3688dae7adc3adc8d).
6.1.2 and earlier are not affected as IAMF support was added in 7.0.

Note You need to log in before you can comment on or make changes to this bug.