Heap-based Buffer Overflow Affecting openh264-sys2 package, versions <0.8.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-OPENH264SYS2-8745978
- published25 Feb 2025
- disclosed20 Feb 2025
- creditOctavian Guzu, Andrew Calvano
Introduced: 20 Feb 2025
NewCVE-2025-27091 (opens in a new tab)How to fix?
Upgrade openh264-sys2 to version 0.8.0 or higher.
Overview
openh264-sys2 is a low-level bindings for OpenH264.
Affected versions of this package are vulnerable to Heap-based Buffer Overflow due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker can cause an unexpected crash in the victim's user decoding client and potentially execute arbitrary commands on the victim's host by crafting a malicious bitstream and tricking a victim user into processing an arbitrary video containing the malicious bitstream.