{"uuid": "c2e21e35-06cd-4b53-8627-2a8dde39237f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39211", "type": "seen", "source": "https://gist.github.com/cla7aye15I4nd/f9a7700240afe7ae8171ee65682e890f", "content": "# FFmpeg CVE Disclosures \u2014 2026-05-07\n\n**Submitter:** zheng@depthfirst.com  \n**Submission Date:** 2026-05-07T14:03:40  \n**Product:** FFmpeg (libavformat, libswscale, libavcodec, fftools)  \n**Vendor:** FFmpeg Project \u2014 https://ffmpeg.org  \n\n---\n\n## CVE-2026-39210\n\n**Component:** `libavformat/mpegts.c` \u2014 `pmt_cb()`  \n**Vulnerability Type:** Heap Buffer Overflow  \n**Description:** A heap buffer overflow exists in `pmt_cb()` in `libavformat/mpegts.c`. Processing a crafted MPEG-TS file with a malformed Program Map Table can write past the end of a heap-allocated buffer, potentially leading to arbitrary code execution or denial of service.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/5975149603  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21562  \n\n---\n\n## CVE-2026-39211\n\n**Component:** `libswscale/utils.c` \u2014 `initFilter()`  \n**Vulnerability Type:** Integer Overflow  \n**Description:** An integer overflow exists in `initFilter()` in `libswscale/utils.c`. A specially crafted scaling filter configuration can cause an integer overflow that results in an undersized buffer allocation, leading to subsequent out-of-bounds writes and potential code execution.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/404775a141  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21536  \n\n---\n\n## CVE-2026-39212\n\n**Component:** `fftools/ffmpeg_opt.c` \u2014 `opt_preset()`  \n**Vulnerability Type:** Stack Overflow  \n**Description:** A stack overflow exists in `opt_preset()` in `fftools/ffmpeg_opt.c`. Processing a crafted preset file or preset name can trigger unbounded stack growth, leading to a stack exhaustion and crash or potential code execution.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/0833dd3665  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21549  \n\n---\n\n## CVE-2026-39213\n\n**Component:** `libavformat/yuv4mpegenc.c` \u2014 `yuv4_write_packet()`  \n**Vulnerability Type:** Heap Buffer Overflow  \n**Description:** A heap buffer overflow exists in `yuv4_write_packet()` in `libavformat/yuv4mpegenc.c`. Writing a crafted YUV4MPEG frame with unexpected dimensions or format parameters can overflow a heap buffer, potentially leading to arbitrary code execution or denial of service.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/b740b85872  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21552  \n\n---\n\n## CVE-2026-39214\n\n**Component:** `libavformat/mpegtsenc.c` \u2014 `mpegts_write_sdt()`  \n**Vulnerability Type:** Stack Overflow  \n**Description:** A stack overflow exists in `mpegts_write_sdt()` in `libavformat/mpegtsenc.c`. Muxing a crafted MPEG-TS stream with a malformed Service Description Table can exhaust stack space, leading to a crash or potential code execution.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/19c78cd6d9  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21561  \n\n---\n\n## CVE-2026-39215\n\n**Component:** `libavcodec/mpegvideo_enc.c` \u2014 `update_mb_info()`  \n**Vulnerability Type:** Heap Buffer Overflow  \n**Description:** A heap buffer overflow exists in `update_mb_info()` in `libavcodec/mpegvideo_enc.c`. Encoding a crafted video stream with particular macroblock parameters can write past the end of a heap-allocated macroblock info buffer, potentially leading to arbitrary code execution or denial of service.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/8eecba02c7  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21537  \n\n---\n\n## CVE-2026-39216\n\n**Component:** `libavformat/img2enc.c` \u2014 `write_packet()`  \n**Vulnerability Type:** Heap Buffer Overflow  \n**Description:** A heap buffer overflow exists in `write_packet()` in `libavformat/img2enc.c`. Muxing image frames with unexpected or malformed metadata can overflow a heap buffer, potentially leading to arbitrary code execution or denial of service.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ca1c1f29ce  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21551  \n\n---\n\n## CVE-2026-39217\n\n**Component:** `libavcodec/vp9.c` \u2014 `vp9_decode_frame()`  \n**Vulnerability Type:** Heap Buffer Overflow  \n**Description:** A heap buffer overflow exists in `vp9_decode_frame()` in `libavcodec/vp9.c`. Decoding a crafted VP9 bitstream can write beyond the bounds of a heap-allocated frame buffer, potentially leading to arbitrary code execution or denial of service.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/38230db7b9  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21550  \n\n---\n\n## CVE-2026-39218\n\n**Component:** `libavformat/dashdec.c` \u2014 `get_current_fragment()`  \n**Vulnerability Type:** Heap Buffer Overflow  \n**Description:** A heap buffer overflow exists in `get_current_fragment()` in `libavformat/dashdec.c`. Parsing a crafted MPEG-DASH manifest with a malformed fragment URL or index can overflow a heap-allocated buffer, potentially leading to arbitrary code execution or denial of service.  \n**Fix Commit:** https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/a97632827d  \n**Pull Request:** https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21568  \n\n---\n\n*This document was created as a public reference to satisfy CVE minimum data requirements per MITRE CVE Team request (CMI: MCID15752843).*\n", "creation_timestamp": "2026-05-08T18:19:08.000000Z"}