{
  "threat_severity" : "Important",
  "public_date" : "2025-10-06T08:09:44Z",
  "bugzilla" : {
    "description" : "FFmpeg: FFmpeg: Use-after-free vulnerability in SANM decoding",
    "id" : "2401800",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401800"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-416",
  "details" : [ "It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion <2.\nWhen a STOR chunk is present, a subsequent FOBJ chunk will be saved in ctx->stored_frame. Stored frames can later be referenced by FTCH chunks. For files using subversion < 2, the undecoded frame is stored, and decoded again when the FTCH chunks are parsed. However, in process_frame_obj if the frame has an invalid size, there’s an early return, with a value of 0. \nThis causes the code in decode_frame to still store the raw frame buffer into ctx->stored_frame. Leaving ctx->has_dimensions set to false.\nA subsequent chunk with type FTCH would call process_ftch and decode that frame obj again, adding to the top/left values and calling process_frame_obj again.\nGiven that we never set ctx->have_dimensions before, this time we set the dimensions, calling init_buffers, which can reallocate the buffer in ctx->stored_frame, freeing the previous one. However, the GetByteContext object gb still holds a reference to the old buffer.\nFinally, when the code tries to decode the frame, codecs that accept a GetByteContext as a parameter will trigger a use-after-free read when using gb.\nGetByteContext is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the free and when the object is accessed. However, upon returning to process_ftch, the code restores the original values for top/left in stored_frame, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocator’s metadata.\nThis issue can be triggered just by probing whether a file has the sanm format.\nWe recommend upgrading to version 8.0 or beyond.", "A flaw was found in FFmpeg. This vulnerability allows a use-after-free write and read via a carefully crafted animation file during SANM (Scaleable Adaptive Network Management) decoding." ],
  "statement" : "The highest threat of this use-after-free vulnerability in FFmpeg's SANM decoding is to system availability. An attacker on the same network segment could trigger a denial of service by providing a specially crafted animation file, potentially corrupting memory allocator metadata.",
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59734\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59734\nhttps://b.corp.google.com/issues/440183164" ],
  "name" : "CVE-2025-59734",
  "csaw" : false
}