2347287 – CVE-2025-27091 openh264: decoding functions heap overflow [fedora-all]

Bug 2347287 - CVE-2025-27091 openh264: decoding functions heap overflow [fedora-all]

Summary: CVE-2025-27091 openh264: decoding functions heap overflow [fedora-all]

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openh264
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Wim Taymans
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	MultimediaSIG
TreeView+	depends on / blocked

Reported:	2025-02-24 10:49 UTC by Dominik 'Rathann' Mierzejewski
Modified:	2025-05-29 20:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x	0	None	None	None	2025-02-24 10:49:47 UTC

Description Dominik 'Rathann' Mierzejewski 2025-02-24 10:49:47 UTC

Description of problem:
A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow.

This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker could exploit this vulnerability by crafting a malicious bitstream and tricking a victim user into processing an arbitrary video containing the malicious bistream. An exploit could allow the attacker to cause an unexpected crash in the victim's user decoding client and, possibly, perform arbitrary commands on the victim's host by abusing the heap overflow.

Version-Release number of selected component (if applicable):
openh264-2.5.0-1.fc43

Additional info:
Fixed in v2.6.0 (https://github.com/cisco/openh264/commit/63db555e30986e3a5f07871368dc90ae78c27449).

Debian advisory: https://security-tracker.debian.org/tracker/CVE-2025-27091 .

Comment 1 Dominik 'Rathann' Mierzejewski 2025-02-24 10:50:18 UTC

CVSS v4 rating: 8.6 (High).

Comment 2 Chris Adams 2025-04-29 12:32:08 UTC

I see builds in koji, but nothing has been pushed to the codecs/open264 repo. What is the holdup?

Comment 3 W. Michael Petullo 2025-05-29 20:15:10 UTC

Here is some documentation about the delay:

https://pagure.io/releng/issue/12617

See "That's a very good question" in the issue discussion.

Note You need to log in before you can comment on or make changes to this bug.