CVE-2023-32570 Overview
CVE-2023-32570 is a race condition vulnerability in VideoLAN dav1d, an open-source AV1 cross-platform decoder. Versions before 1.2.0 contain a thread synchronization flaw in thread_task.c that can lead to an application crash. The vulnerability is related to the dav1d_decode_frame_exit function and occurs when concurrent threads access shared resources without proper synchronization.
Critical Impact
This race condition vulnerability can cause denial of service through application crashes when processing AV1 video content, affecting media players and applications that rely on dav1d for AV1 decoding.
Affected Products
- VideoLAN dav1d versions prior to 1.2.0
- Fedora 37 (with vulnerable dav1d packages)
- Fedora 38 (with vulnerable dav1d packages)
Discovery Timeline
- 2023-05-10 - CVE-2023-32570 published to NVD
- 2025-01-28 - Last updated in NVD database
Technical Details for CVE-2023-32570
Vulnerability Analysis
This vulnerability is classified as CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), commonly known as a race condition. The flaw exists in the thread task management code within thread_task.c, specifically involving the dav1d_decode_frame_exit function.
The dav1d decoder uses multi-threaded processing to achieve high-performance AV1 decoding. When multiple threads attempt to access or modify shared state during frame decoding completion, a timing window exists where improper synchronization can lead to undefined behavior. An attacker could potentially craft malicious AV1 video content designed to trigger this race condition, causing the decoding application to crash.
The vulnerability requires network access to exploit, as malicious content must be delivered to the victim's system. However, the attack complexity is high due to the inherent difficulty in reliably triggering race conditions—the exact timing conditions must align for successful exploitation.
Root Cause
The root cause is improper thread synchronization in the frame decoding exit path. When dav1d_decode_frame_exit is called, multiple threads may simultaneously access shared resources without adequate locking mechanisms or memory barriers. This Time-of-Check Time-of-Use (TOCTOU) scenario creates a window where thread interleaving can corrupt internal state or access freed memory, ultimately leading to a crash.
Attack Vector
The attack vector is network-based, where an attacker delivers specially crafted AV1 video content to a victim. The attack scenario involves:
- An attacker creates or modifies an AV1 video file designed to stress the multi-threaded decoder
- The victim opens the malicious video using an application that relies on dav1d for AV1 decoding (such as VLC media player, FFmpeg-based applications, or web browsers with AV1 support)
- During playback, the race condition is triggered in the thread task management code
- The application crashes, resulting in denial of service
The vulnerability exploitation does not require user privileges or interaction beyond opening the malicious content, though successful exploitation depends on precise timing conditions that are difficult to control remotely.
Detection Methods for CVE-2023-32570
Indicators of Compromise
- Application crashes during AV1 video playback with stack traces pointing to thread_task.c or dav1d_decode_frame_exit
- Unexpected termination of media players or applications when processing specific AV1 content
- Core dumps or crash reports indicating thread synchronization issues in dav1d library
Detection Strategies
- Monitor application crash logs for patterns involving dav1d library functions
- Implement application stability monitoring for media playback services
- Use address sanitizer (ASAN) or thread sanitizer (TSAN) builds during testing to detect race conditions
- Review system logs for repeated crashes of applications using dav1d for AV1 decoding
Monitoring Recommendations
- Enable crash reporting for applications that use dav1d for video decoding
- Monitor for unusual patterns of application restarts in media playback services
- Implement endpoint detection and response (EDR) monitoring for application stability anomalies
- Track dav1d library versions across your environment to identify vulnerable installations
How to Mitigate CVE-2023-32570
Immediate Actions Required
- Upgrade VideoLAN dav1d to version 1.2.0 or later immediately
- Update Fedora 37 and Fedora 38 systems using the official package announcements
- Audit all applications and systems using dav1d for AV1 decoding
- Review dependencies in media applications that may bundle vulnerable dav1d versions
Patch Information
VideoLAN has released dav1d version 1.2.0 which addresses this race condition vulnerability. The fix is available in commit cf617fdae0b9bfabd27282854c8e81450d955efa. Security advisories have also been issued by multiple Linux distributions:
- VLC Commit Update - Direct patch commit
- VLC Release Tag 1.2.0 - Fixed release version
- Fedora Package Announcement - Fedora security update
- Gentoo GLSA 202310-05 - Gentoo Linux security advisory
Workarounds
- Limit AV1 video playback to trusted sources until patching is complete
- Consider disabling multi-threaded decoding if configurable in your application (may impact performance)
- Implement network filtering to block untrusted AV1 content sources
- Use application sandboxing to limit the impact of potential crashes
# Check installed dav1d version
# Debian/Ubuntu
dpkg -l | grep dav1d
# Fedora/RHEL
rpm -qa | grep dav1d
# Update on Fedora systems
sudo dnf update dav1d
# Verify the updated version is 1.2.0 or later
dav1d --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
