{"id":"CVE-2019-9721","details":"A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.","modified":"2026-02-24T01:19:41.018056Z","published":"2019-03-12T09:29:00.577Z","related":["SUSE-SU-2021:2919-1","SUSE-SU-2021:2929-1","openSUSE-SU-2021:2919-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/107384"},{"type":"ADVISORY","url":"https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65"},{"type":"ADVISORY","url":"https://github.com/FFmpeg/FFmpeg/commit/273f2755ce8635d42da3cde0eeba15b2e7842774"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3967-1/"},{"type":"FIX","url":"https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/273f2755ce8635d42da3cde0eeba15b2e7842774"},{"type":"ARTICLE","url":"https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.ffmpeg.org/ffmpeg.git","events":[{"introduced":"0"},{"fixed":"894995c41e0795c7a44f81adc4838dedc3932e65"}]}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2-dev","n3.3-dev","n3.4-dev","n3.5-dev","n4.1-dev","n4.2-dev"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9721.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"273f2755ce8635d42da3cde0eeba15b2e7842774"}]}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2","n3.2-dev","n3.2.1","n3.2.10","n3.2.11","n3.2.12","n3.2.13","n3.2.2","n3.2.3","n3.2.4","n3.2.5","n3.2.6","n3.2.7","n3.2.8","n3.2.9"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Function","id":"CVE-2019-9721-1e4b4ede","target":{"file":"libavcodec/htmlsubtitles.c","function":"ff_htmlmarkup_to_ass"},"digest":{"function_hash":"51195086334001458191859035190219042570","length":3610},"source":"https://github.com/ffmpeg/ffmpeg/commit/273f2755ce8635d42da3cde0eeba15b2e7842774","deprecated":false},{"signature_version":"v1","signature_type":"Line","id":"CVE-2019-9721-efb6ae89","target":{"file":"libavcodec/htmlsubtitles.c"},"digest":{"line_hashes":["181052376676104601782979859616773957010","114335331683057061847747733341231002884","52182576610393413327815494532710655027","151988408299784471571915177291850664201","143530476180291881434987183528048468203","20671168889515778463202263099394878314","117734745311139794259276495167403311113","247691314197916473622205852293270336349","91970035849042864838408869607449612939","298548214798456625181670453837162301144","51594798183235078235674705393957355135","244888744203267073148994254791264550488"],"threshold":0.9},"source":"https://github.com/ffmpeg/ffmpeg/commit/273f2755ce8635d42da3cde0eeba15b2e7842774","deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9721.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}