{"id":"CVE-2023-46407","details":"FFmpeg prior to commit bf814 was discovered to contain an out of bounds read via the dist-\u003ealphabet_size variable in the read_vlc_prefix() function.","modified":"2026-02-24T01:24:59.294284Z","published":"2023-10-27T20:15:09.087Z","related":["CGA-hqrc-wvvr-ccxr"],"references":[{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962"},{"type":"FIX","url":"https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231013014959.536776-1-leo.izen%40gmail.com/"},{"type":"FIX","url":"https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231015004924.597746-1-leo.izen%40gmail.com/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"bf814387f42e9b0dea9d75c03db4723c88e7d962"}]}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2-dev","n3.3-dev","n3.4-dev","n3.5-dev","n4.1-dev","n4.2-dev","n4.3-dev","n4.4-dev","n4.5-dev","n5.1-dev","n5.2-dev","n6.1-dev"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-46407.json","vanir_signatures":[{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["220105966798282059149030715726161075097","180266453498400246804549189909960284257","73148644264980185597476409712978687637","286365265477864894663546510757351403280","314825778526346358653735226755182398776","26188299848253069645477578457604842870","110198206348898803625418330821014898473","50174480327311949858501076809751562445","241231218723808208340456890550097955329","215507175544650923089399575093236194023","135068194385828229163406492702140006936","66105321909184906114181906357038537826","103298978993242040100671715024707989084","59867939728337908485496230187377173800","186153454835257189652159919942203871455","217904120362395215651209069424841598492","244350113364213515402405323863438481593","22739512687949424616341514537521894591","195062092206686434824385287088849634092","146162376980627030924901460276244417252","133920733564074082834441774627524333534","68149985661876096145212288079652518284","8794963223613958660785421004769206966","167517125330278610343926185623958502797","311850500435999907485961778227643536943","27638573581810548983839897062912772353","208639768320764247846338918768595314724","39809637958411109255979130445286273541","192094578223806588773817202505907616487","291864371857363825018194682428755554932","299426667417931789722350074207923473636","157004792883306756351436045336708693246","95673350118243145527808864108976933409","332141338909193022304396035094518584512"],"threshold":0.9},"source":"https://github.com/ffmpeg/ffmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962","id":"CVE-2023-46407-87c7faee","signature_type":"Line","target":{"file":"libavcodec/jpegxl_parser.c"}},{"signature_version":"v1","deprecated":false,"digest":{"function_hash":"253764707101986371767092635021744105843","length":3074},"source":"https://github.com/ffmpeg/ffmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962","id":"CVE-2023-46407-b175de68","signature_type":"Function","target":{"file":"libavcodec/jpegxl_parser.c","function":"read_vlc_prefix"}}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}