{"id":"CVE-2017-9608","details":"The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file.","modified":"2026-04-11T16:55:04.399691Z","published":"2017-12-27T19:29:00.723Z","related":["MGASA-2017-0262"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2017/08/15/8"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100348"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-3957"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/31c1c0b46a7021802c3d1d18039fca30dba5a14e"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2017/08/14/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"431ccd3f55eae8732fe901622660c52fc712cc25"},{"introduced":"efa89a841941bf61d1a3eb5c2900f98e3e7db85b"},{"fixed":"9079c70d2095643af6954001d0627445650b85a6"},{"fixed":"0a709e2a10b8288a0cc383547924ecfe285cef89"},{"fixed":"31c1c0b46a7021802c3d1d18039fca30dba5a14e"},{"fixed":"611b35627488a8d0763e75c25ee0875c5b7987dd"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.2.6"},{"introduced":"3.3"},{"fixed":"3.3.3"}],"cpe":"cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2","n3.2-dev","n3.2.1","n3.2.2","n3.2.3","n3.2.4","n3.2.5","n3.3","n3.3-dev","n3.3.1","n3.3.2","n3.4-dev"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["57461358337514712756395136655201152808","80245587019904202682570818294677321241","247987104724374446862500083383862797627","136516107736779889432496692360651853885","255459594875552099711272227410435093620","206698390374465263881690078608755966825","110928872312797958069881088590198265328","81356332768943735539026862844028969216","114758231203302998653824498950488246886","328106599903300457399776673683261929738","206000672969287918923774033882627951319","307142452002623859979927565029061953571"]},"target":{"file":"libavcodec/dnxhd_parser.c"},"signature_type":"Line","source":"https://github.com/ffmpeg/ffmpeg/commit/31c1c0b46a7021802c3d1d18039fca30dba5a14e","signature_version":"v1","id":"CVE-2017-9608-2a919bd9"},{"deprecated":false,"digest":{"function_hash":"89707297390371257070099533510679552519","length":1782},"target":{"function":"dnxhd_find_frame_end","file":"libavcodec/dnxhd_parser.c"},"signature_type":"Function","source":"https://github.com/ffmpeg/ffmpeg/commit/31c1c0b46a7021802c3d1d18039fca30dba5a14e","signature_version":"v1","id":"CVE-2017-9608-39d461a0"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["57461358337514712756395136655201152808","80245587019904202682570818294677321241","247987104724374446862500083383862797627","136516107736779889432496692360651853885","255459594875552099711272227410435093620","206698390374465263881690078608755966825","110928872312797958069881088590198265328","81356332768943735539026862844028969216","114758231203302998653824498950488246886","156998456537400884220674302983198554191","325436162585347255892603977106384527528","280945907134446947319404938646302632133"]},"target":{"file":"libavcodec/dnxhd_parser.c"},"signature_type":"Line","source":"https://github.com/ffmpeg/ffmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89","signature_version":"v1","id":"CVE-2017-9608-84fa9a4b"},{"deprecated":false,"digest":{"function_hash":"2601796132145701510809948212467564680","length":1532},"target":{"function":"dnxhd_find_frame_end","file":"libavcodec/dnxhd_parser.c"},"signature_type":"Function","source":"https://github.com/ffmpeg/ffmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd","signature_version":"v1","id":"CVE-2017-9608-9ed20a68"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["57461358337514712756395136655201152808","80245587019904202682570818294677321241","247987104724374446862500083383862797627","136516107736779889432496692360651853885","255459594875552099711272227410435093620","275354664576526898216108658457417285073","246617255682840904383175229502656738661","3413330245974307559533751462905375835","122422883785111637006293168254662554174","156998456537400884220674302983198554191","325436162585347255892603977106384527528","280945907134446947319404938646302632133"]},"target":{"file":"libavcodec/dnxhd_parser.c"},"signature_type":"Line","source":"https://github.com/ffmpeg/ffmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd","signature_version":"v1","id":"CVE-2017-9608-cdb5746b"},{"deprecated":false,"digest":{"function_hash":"2601796132145701510809948212467564680","length":1532},"target":{"function":"dnxhd_find_frame_end","file":"libavcodec/dnxhd_parser.c"},"signature_type":"Function","source":"https://github.com/ffmpeg/ffmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89","signature_version":"v1","id":"CVE-2017-9608-d289a3db"}],"vanir_signatures_modified":"2026-04-11T16:55:04Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9608.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}