Alpine: multiple ffmpeg packages: security update to 7.1.1-r0

medium Tenable Cloud Security Plugin ID 436215

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the
function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The
manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The
exploit has been disclosed to the public and may be used. (CVE-2025-1594)

- A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via
improper parsing of non-TTY-compliant input files in HLS playlists. (CVE-2023-6602)

- A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage
consumption, potentially leading to degraded performance or denial of service via the demuxing of
arbitrary data as XBIN-formatted data without proper format validation. (CVE-2023-6604)

- A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests
to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
(CVE-2023-6605)

- Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary
code via the config_eq_output function in the libavfilter/asrc_afirsrc.c:495:30 component.
(CVE-2023-49501)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-49501

https://security.alpinelinux.org/vuln/CVE-2023-49502

https://security.alpinelinux.org/vuln/CVE-2023-50007

https://security.alpinelinux.org/vuln/CVE-2023-50008

https://security.alpinelinux.org/vuln/CVE-2023-6602

https://security.alpinelinux.org/vuln/CVE-2023-6604

https://security.alpinelinux.org/vuln/CVE-2023-6605

https://security.alpinelinux.org/vuln/CVE-2024-28661

https://security.alpinelinux.org/vuln/CVE-2024-31578

https://security.alpinelinux.org/vuln/CVE-2024-31582

https://security.alpinelinux.org/vuln/CVE-2024-35367

https://security.alpinelinux.org/vuln/CVE-2024-35368

https://security.alpinelinux.org/vuln/CVE-2024-36617

https://security.alpinelinux.org/vuln/CVE-2024-7055

https://security.alpinelinux.org/vuln/CVE-2025-0518

https://security.alpinelinux.org/vuln/CVE-2025-1594

https://security.alpinelinux.org/vuln/CVE-2025-1816

https://security.alpinelinux.org/vuln/CVE-2025-22919

Plugin Details

Severity: Medium

ID: 436215

Version: Revision 1.4

Type: Local

Published: 12/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-1594

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 5.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2024-7055

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/17/2024

Reference Information

CVE: CVE-2023-49501, CVE-2023-49502, CVE-2023-50007, CVE-2023-50008, CVE-2023-6602, CVE-2023-6604, CVE-2023-6605, CVE-2024-28661, CVE-2024-31578, CVE-2024-31582, CVE-2024-35367, CVE-2024-35368, CVE-2024-36617, CVE-2024-7055, CVE-2025-0518, CVE-2025-1594, CVE-2025-1816, CVE-2025-22919

IAVB: 2024-B-0041-S, 2024-B-0110-S, 2025-B-0018-S, 2025-B-0060-S