Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 903805 (CVE-2022-48434)

Summary: <media-video/ffmpeg-{4.4.3,6.0}: use-after-free leading to code execution
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-05 03:15:45 UTC
CVE-2022-48434 (

libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).
Comment 1 Larry the Git Cow gentoo-dev 2023-12-23 11:07:35 UTC
The bug has been referenced in the following commit(s):

commit 054115a94fa38350f4468052ec239cbacb5b8e26
Author:     GLSAMaker <>
AuthorDate: 2023-12-23 11:07:01 +0000
Commit:     Hans de Graaff <>
CommitDate: 2023-12-23 11:07:29 +0000

    [ GLSA 202312-14 ] FFmpeg: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202312-14.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)