FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7823-1 advisory.

    It was discovered that FFmpeg did not correctly handle certain memory operations. An attacker could     possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected     Ubuntu 24.04 LTS. (CVE-2024-35365)

    It was discovered that FFmpeg did not correctly handle certain integer calculations. An attacker could     possibly use this issue to cause a denial of service. (CVE-2024-35366)

    It was discovered that FFmpeg may perform an out-of-bounds read under certain circumstances. An attacker     could possibly use this issue to cause a denial of service. (CVE-2024-35367)

    It was discovered that FFmpeg did not correctly handle certain memory operations. An attacker could     possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected     Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-35368)

    It was discovered that FFmpeg did not correctly handle certain inputs, which could lead to an integer     overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary     code. (CVE-2024-36613, CVE-2024-36616, CVE-2024-36618)

    It was discovered that FFmpeg did not correctly handle certain inputs, which could lead to an integer     overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary     code. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-36619)

    It was discovered that FFmpeg did not correctly handle certain memory operations. A remote attacker could     possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected     Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-7055)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c     within the libavformat module. When parsing certain options, the software does not adequately validate the     input. This allows for negative duration values to be accepted without proper bounds checking.
    (CVE-2024-35366)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
270676	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : FFmpeg vulnerabilities (USN-7823-1)	Nessus	Ubuntu Local Security Checks	medium
229207	Linux Distros Unpatched Vulnerability : CVE-2024-35366	Nessus	Misc.	critical

Detections

Analytics

CVE-2024-35366

critical

Tenable Plugins

medium

critical