Detections
Analytics

FFmpeg <= 8.0.1 Multiple Vulnerabilities

high Nessus Plugin ID 307356

Synopsis

The version of FFmpeg installed on the remote host is affected by multiple vulnerabilities.

Description

The version of FFmpeg installed on the remote host is 8.0.1 or earlier. It is, therefore, affected by multiple vulnerabilities:

 - An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. (CVE-2026-30997)

 - An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.
 (CVE-2026-30998)

 - A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. (CVE-2026-30999)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

See vendor advisory.

See Also

http://www.nessus.org/u?00db0a7f

http://www.nessus.org/u?0a0e6299

http://www.nessus.org/u?11b11155

https://ffmpeg.org/security.html

Plugin Details

Severity: High

ID: 307356

File Name: ffmpeg_8_0_1.nasl

Version: 1.1

Type: Local

Agent: unix

Family: Misc.

Published: 4/17/2026

Updated: 4/17/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-30997

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:ffmpeg:ffmpeg

Required KB Items: installed_sw/FFmpeg

Vulnerability Publication Date: 4/13/2026

Reference Information

CVE: CVE-2026-30997, CVE-2026-30998, CVE-2026-30999

IAVB: 2026-B-0094