{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-06T08:08:46Z",
  "bugzilla" : {
    "description" : "FFmpeg: FFmpeg: Integer underflow in DHAV file header parsing leads to out-of-bounds read",
    "id" : "2401798",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401798"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-787",
  "details" : [ "When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.\nIf we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZE bytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.\nThe loop then scans backwards through the buffer looking for the dhav tag; when it is found, we'll calculate end_pos based on a 32-bit offset read from the buffer.\nThere is subsequently a check [3] that end_pos is within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_pos is before the start of the file or after the section copied into end_buffer, and not the case where end_pos is within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos) can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.\nWe recommend upgrading to version 8.0 or beyond.", "A flaw was found in FFmpeg. This vulnerability allows an out-of-bounds read via an integer underflow in the offset calculation when parsing the header for a Digital Home Audio/Video (DHAV) file." ],
  "statement" : "The vulnerability in FFmpeg, an integer underflow leading to an out-of-bounds read during DHAV file header parsing, primarily impacts the availability of systems processing untrusted DHAV media files. Red Hat rates this as Moderate due to the potential for denial of service when processing specially crafted input.",
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59729\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59729\nhttps://issuetracker.google.com/433513232" ],
  "name" : "CVE-2025-59729",
  "csaw" : false
}