Alpine: multiple ffmpeg packages: security update to 8.0-r0

high Tenable Cloud Security Plugin ID 436230

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the
function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The
manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The
exploit has been disclosed to the public and may be used. (CVE-2025-1594)

- A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via
improper parsing of non-TTY-compliant input files in HLS playlists. (CVE-2023-6602)

- A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage
consumption, potentially leading to degraded performance or denial of service via the demuxing of
arbitrary data as XBIN-formatted data without proper format validation. (CVE-2023-6604)

- A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests
to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
(CVE-2023-6605)

- Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within
an Executable. This vulnerability is associated with program files
https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue
was fixed: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a
https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered
by: Simcha Kosman (CVE-2025-0518)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-6602

https://security.alpinelinux.org/vuln/CVE-2023-6604

https://security.alpinelinux.org/vuln/CVE-2023-6605

https://security.alpinelinux.org/vuln/CVE-2025-0518

https://security.alpinelinux.org/vuln/CVE-2025-1373

https://security.alpinelinux.org/vuln/CVE-2025-1594

https://security.alpinelinux.org/vuln/CVE-2025-1816

https://security.alpinelinux.org/vuln/CVE-2025-22919

https://security.alpinelinux.org/vuln/CVE-2025-22920

https://security.alpinelinux.org/vuln/CVE-2025-25471

https://security.alpinelinux.org/vuln/CVE-2025-59728

https://security.alpinelinux.org/vuln/CVE-2025-59729

https://security.alpinelinux.org/vuln/CVE-2025-59730

https://security.alpinelinux.org/vuln/CVE-2025-59731

https://security.alpinelinux.org/vuln/CVE-2025-59732

https://security.alpinelinux.org/vuln/CVE-2025-59733

https://security.alpinelinux.org/vuln/CVE-2025-59734

Plugin Details

Severity: High

ID: 436230

Version: Revision 1.4

Type: Local

Published: 12/4/2025

Updated: 6/1/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.96

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-1594

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

CVSS Score Source: CVE-2025-59734

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/8/2024

Reference Information

CVE: CVE-2023-6602, CVE-2023-6604, CVE-2023-6605, CVE-2025-0518, CVE-2025-1373, CVE-2025-1594, CVE-2025-1816, CVE-2025-22919, CVE-2025-22920, CVE-2025-25471, CVE-2025-59728, CVE-2025-59729, CVE-2025-59730, CVE-2025-59731, CVE-2025-59732, CVE-2025-59733, CVE-2025-59734

IAVB: 2024-B-0110-S, 2025-B-0018-S, 2025-B-0060-S, 2025-B-0150