FFmpeg older than 8.1 can be tricked into writing outside its memory

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.9

FFmpeg older than 8.1 can be tricked into writing outside its memory

CVE-2026-40962

Summary

Older versions of FFmpeg, a tool for video processing, have a security flaw that could let an attacker make the program write data to a wrong place in its memory. This could potentially be used to take control of the program or cause it to crash. Update to the latest version to fix this issue.

Original title

FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

Original description

FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

nvd CVSS3.1 4.9

Vulnerability type

CWE-190 Integer Overflow

https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348

Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026