{"id":"CVE-2024-36617","details":"FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.","modified":"2026-04-10T21:41:22.464563Z","published":"2024-11-29T18:15:07.230Z","related":["SUSE-SU-2025:02352-1","SUSE-SU-2025:02381-1","openSUSE-SU-2025:15177-1","openSUSE-SU-2025:15215-1"],"references":[{"type":"WEB","url":"https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/cafdec.c#L274"},{"type":"ADVISORY","url":"https://gist.github.com/1047524396/f20749f8addc8f86de9cfacf17ba29df"},{"type":"FIX","url":"https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"fixed":"62e1c442633e8a09a1407a789cd2b50611850788"},{"introduced":"ace829cb45cff530b8a0aed6adf18f329d7a98f6"},{"fixed":"b0fe83714bba7269dc76a5ab9ca0d87b311b0aee"},{"introduced":"80bb65fafab1d2f5f58a8453c6334c784ee27c08"},{"fixed":"41a5eae142c8f00980ae6d58bf3cf8a869e5231a"},{"introduced":"c5079bf3bccd24bf8ed45ff47ff4071fd09e9fd8"},{"fixed":"9bcede27c26b2f7cd469ab6b5c8b9694c30cfca3"},{"introduced":"390d6853d0ef408007feb39c0040682c81c02751"},{"fixed":"b1a4534186ca51b0457579fc05a5739eb2cc45cd"},{"fixed":"d973fcbcc2f944752ff10e6a76b0b2d9329937a7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.4.14"},{"introduced":"4.0"},{"fixed":"4.2.9"},{"introduced":"4.3"},{"fixed":"4.3.7"},{"introduced":"4.4"},{"fixed":"4.4.5"},{"introduced":"5.0"},{"fixed":"6.1.2"}]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2-dev","n3.3-dev","n3.4","n3.4-dev","n3.4.1","n3.4.10","n3.4.11","n3.4.12","n3.4.13","n3.4.2","n3.4.3","n3.4.4","n3.4.5","n3.4.6","n3.4.7","n3.4.8","n3.4.9","n3.5-dev","n4.1-dev","n4.2","n4.2-dev","n4.2.1","n4.2.2","n4.2.3","n4.2.4","n4.2.5","n4.2.6","n4.2.7","n4.2.8","n4.3","n4.3-dev","n4.3.1","n4.3.2","n4.3.3","n4.3.4","n4.3.5","n4.3.6","n4.4","n4.4-dev","n4.4.1","n4.4.2","n4.4.3","n4.4.4","n4.5-dev","n5.1-dev","n5.2-dev","n6.1","n6.1-dev","n6.1.1","n6.2-dev"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7","id":"CVE-2024-36617-1c8c6403","digest":{"line_hashes":["44973636752222320202739228100696163360","274436137156896354455671107439876243104","184972138392671777370760264547244923719","236992614078391776037833767438845251703"],"threshold":0.9},"deprecated":false,"signature_type":"Line","signature_version":"v1","target":{"file":"libavformat/cafdec.c"}},{"source":"https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7","id":"CVE-2024-36617-b1262d81","digest":{"function_hash":"82835186559573989995264497669114067249","length":1265},"deprecated":false,"signature_type":"Function","signature_version":"v1","target":{"file":"libavformat/cafdec.c","function":"read_pakt_chunk"}}],"vanir_signatures_modified":"2026-04-10T21:41:22Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36617.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}