CVE-2021-38171 Overview
CVE-2021-38171 is a critical input validation vulnerability in FFmpeg 4.4 that affects the adts_decode_extradata function within libavformat/adtsenc.c. The vulnerability stems from a missing return value check for the init_get_bits function, which allows attackers to craft malicious input that can lead to undefined behavior, memory corruption, or arbitrary code execution.
The flaw exists because the second argument to init_get_bits can be crafted by an attacker. Without proper validation of the return value, the function continues execution with potentially corrupted or uninitialized bit context data, creating opportunities for exploitation.
Critical Impact
This vulnerability allows remote attackers to potentially execute arbitrary code or cause denial of service through specially crafted media files processed by FFmpeg, affecting a wide range of applications that rely on FFmpeg for multimedia processing.
Affected Products
- FFmpeg 4.4
- Debian Linux 9.0
- Debian Linux 10.0
- Debian Linux 11.0
Discovery Timeline
- 2021-08-21 - CVE-2021-38171 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-38171
Vulnerability Analysis
The vulnerability resides in the Audio Data Transport Stream (ADTS) encoder component of FFmpeg's libavformat library. The adts_decode_extradata function is responsible for parsing audio configuration data from the extradata buffer. This function calls init_get_bits to initialize a bitstream reader (GetBitContext) for parsing the MPEG4 audio configuration.
The core issue is that init_get_bits can fail under various conditions—such as when the buffer size is invalid or when memory allocation fails—but the original code did not check this return value. This oversight means the subsequent parsing operations using the uninitialized or improperly configured GetBitContext structure could read from unexpected memory locations, leading to out-of-bounds memory access, information disclosure, or memory corruption.
Given the network attack vector and the lack of required privileges or user interaction, this vulnerability is particularly concerning for server-side applications that process untrusted media files.
Root Cause
The root cause is classified under CWE-252 (Unchecked Return Value). The init_get_bits function returns an error code when initialization fails, but the original implementation in adts_decode_extradata ignored this return value entirely. This pattern of unchecked return values is a common source of security vulnerabilities, especially in C/C++ codebases where error handling is manual and must be explicitly implemented.
The function assumed that bit context initialization would always succeed, proceeding immediately to use the GetBitContext structure for parsing MPEG4 audio configuration data without verification.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious media file with a specially constructed ADTS stream. When FFmpeg processes this file, the crafted extradata triggers a failure in init_get_bits that goes unchecked, allowing the attacker to influence subsequent parsing operations.
The attack can be delivered through:
- Media files uploaded to web applications using FFmpeg for transcoding
- Streaming content processed by FFmpeg-based media servers
- Any application that accepts untrusted media input and uses FFmpeg for processing
GetBitContext gb;
PutBitContext pb;
MPEG4AudioConfig m4ac;
- int off;
+ int off, ret;
- init_get_bits(&gb, buf, size * 8);
+ ret = init_get_bits8(&gb, buf, size);
+ if (ret < 0)
+ return ret;
off = avpriv_mpeg4audio_get_config2(&m4ac, buf, size, 1, s);
if (off < 0)
return off;
Source: GitHub Commit
The patch demonstrates the fix: introducing a return value variable ret, using the safer init_get_bits8 function, and properly checking the return value before continuing execution.
Detection Methods for CVE-2021-38171
Indicators of Compromise
- Unusual crashes or core dumps from FFmpeg or applications using FFmpeg libraries
- Unexpected memory access patterns or segmentation faults during media file processing
- Error logs indicating ADTS parsing failures followed by abnormal application behavior
- Suspicious media files with malformed ADTS headers or unusual extradata structures
Detection Strategies
- Monitor FFmpeg process behavior for unexpected crashes when processing ADTS audio streams
- Implement file integrity monitoring on systems running FFmpeg-based applications
- Deploy runtime application self-protection (RASP) solutions to detect memory corruption attempts
- Analyze input media files for malformed ADTS headers before processing
Monitoring Recommendations
- Enable detailed logging for FFmpeg operations, particularly during audio codec initialization
- Set up crash monitoring and alerting for applications that process untrusted media content
- Implement sandboxing for FFmpeg processes to contain potential exploitation attempts
- Monitor for unusual patterns in media file uploads that may indicate exploitation attempts
How to Mitigate CVE-2021-38171
Immediate Actions Required
- Update FFmpeg to a version that includes the security patch (commit 9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6)
- Apply vendor-specific patches for Debian systems as outlined in DSA-4990 and DSA-4998
- Restrict processing of untrusted media files until patches are applied
- Implement input validation and sandboxing for media processing workflows
Patch Information
The official fix is available through the FFmpeg GitHub commit which adds proper return value checking for the init_get_bits8 function call in adts_decode_extradata.
Distribution-specific patches are available:
- Debian Security Advisory DSA-4990
- Debian Security Advisory DSA-4998
- Debian LTS Announcement
- Gentoo GLSA 202312-14
Workarounds
- Run FFmpeg processes in isolated containers or sandboxed environments to limit exploitation impact
- Implement pre-processing validation to reject suspicious or malformed media files before FFmpeg processing
- Use application-level firewalls to filter potentially malicious media uploads
- Disable ADTS encoding/decoding functionality if not required by your application
# Example: Running FFmpeg in a sandboxed environment using firejail
firejail --private --net=none --no3d ffmpeg -i input.mp4 output.mp3
# Alternative: Use systemd sandboxing for FFmpeg services
# Add to systemd service unit file:
# [Service]
# ProtectSystem=strict
# PrivateTmp=true
# NoNewPrivileges=true
# MemoryDenyWriteExecute=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
