Description

OpenH264 is a free license codec library which supports H.264 encoding and decoding. A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow. This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker could exploit this vulnerability by crafting a malicious bitstream and tricking a victim user into processing an arbitrary video containing the malicious bistream. An exploit could allow the attacker to cause an unexpected crash in the victim's user decoding client and, possibly, perform arbitrary commands on the victim's host by abusing the heap overflow. This vulnerability affects OpenH264 2.5.0 and earlier releases. Both Scalable Video Coding (SVC) mode and Advanced Video Coding (AVC) mode are affected by this vulnerability. OpenH264 software releases 2.6.0 and later contained the fix for this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability. ### For more information If you have any questions or comments about this advisory: * [Open an issue in cisco/openh264](https://github.com/cisco/openh264/issues) * Email Cisco Open Source Security ([oss-security@cisco.com](mailto:oss-security@cisco.com)) and Cisco PSIRT ([psirt@cisco.com](mailto:psirt@cisco.com)) ### Credits: * **Research:** Octavian Guzu and Andrew Calvano of Meta * **Fix ideation:** Philipp Hancke and Shyam Sadhwani of Meta * **Fix implementation:** Benzheng Zhang (@BenzhengZhang) * **Release engineering:** Benzheng Zhang (@BenzhengZhang)

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CNA:  GitHub, Inc.

CVSS-B 8.6 HIGH

Vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  7.5 HIGH

Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/cisco/openh264/releases/tag/v2.6.0	Release Notes
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x	Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-787	Out-of-bounds Write	NIST
CWE-122	Heap-based Buffer Overflow	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Configuration 1 ( hide )

cpe:2.3:a:cisco:openh264:*:*:*:*:*:*:*:*    Show Matching CPE(s)

Up to (excluding) 2.6.0

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 2/27/2025 3:28:14 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Added	CWE		CWE-787
Added	CPE Configuration		OR *cpe:2.3:a:cisco:openh264:*:*:*:*:*:*:*:* versions from (excluding) 2.6.0
Added	Reference Type		GitHub, Inc.: https://github.com/cisco/openh264/releases/tag/v2.6.0 Types: Release Notes
Added	Reference Type		GitHub, Inc.: https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x Types: Vendor Advisory

New CVE Received from GitHub, Inc. 2/20/2025 1:15:26 PM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 1726 characters. View Entire Change Record OpenH264 is a free license codec library which supports H.264 encoding and decoding. A vulnerability in the decoding functions of OpenH264 codec library could allow a remote, unauthenticated attacker to trigger a heap overflow. This vulnerability is due to a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker could exploit this vulnerability by crafting
Added	CVSS V4.0		AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added	CWE		CWE-122
Added	Reference		https://github.com/cisco/openh264/releases/tag/v2.6.0
Added	Reference		https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x