CVE-2024-22860 Overview
CVE-2024-22860 is an integer overflow vulnerability affecting FFmpeg versions before n6.1. The vulnerability exists in the jpegxl_anim_read_packet component within the JPEG XL Animation decoder, allowing remote attackers to execute arbitrary code through specially crafted media files.
Critical Impact
This integer overflow vulnerability enables remote code execution without authentication, potentially allowing attackers to gain complete control over systems processing malicious JPEG XL animation files.
Affected Products
- FFmpeg versions prior to n6.1
- Applications and services utilizing vulnerable FFmpeg libraries for JPEG XL animation processing
- Media processing pipelines incorporating affected FFmpeg components
Discovery Timeline
- 2024-01-27 - CVE-2024-22860 published to NVD
- 2025-08-11 - Last updated in NVD database
Technical Details for CVE-2024-22860
Vulnerability Analysis
The vulnerability stems from an integer overflow condition (CWE-190) in the JPEG XL animation decoder component of FFmpeg. When processing JPEG XL animation files, the jpegxl_anim_read_packet function fails to properly validate that the file size fits within the bounds of an integer argument. This oversight allows attackers to supply maliciously crafted files that trigger arithmetic overflow conditions.
The integer overflow occurs when the avio_size() function returns a value larger than INT_MAX, which is subsequently used in size calculations without proper bounds checking. This can lead to heap buffer overflows, memory corruption, and ultimately arbitrary code execution in the context of the process handling the malicious media file.
Root Cause
The root cause is insufficient validation of the size variable returned by avio_size() in libavformat/jpegxl_anim_dec.c. The function failed to verify that the file size could safely fit within the integer type used for subsequent operations, allowing values exceeding INT_MAX to cause integer overflow conditions during memory allocation and buffer operations.
Attack Vector
This vulnerability is exploitable remotely over a network without requiring authentication or user interaction. An attacker can craft a malicious JPEG XL animation file with specially constructed size parameters. When a vulnerable FFmpeg instance processes this file—whether through direct command-line usage, web application processing, or streaming services—the integer overflow triggers, potentially leading to arbitrary code execution.
size = avio_size(pb);
if (size < 0)
return size;
+ if (size > INT_MAX)
+ return AVERROR(EDOM);
if (size == 0)
size = 4096;
Source: GitHub FFmpeg Commit d2e8974
The patch adds a critical bounds check to ensure the size value does not exceed INT_MAX before proceeding with buffer operations, returning an AVERROR(EDOM) domain error if the check fails.
Detection Methods for CVE-2024-22860
Indicators of Compromise
- Unusual crash patterns in FFmpeg processes when handling JPEG XL animation files
- Unexpected memory allocation failures or out-of-memory conditions during media processing
- Suspicious JPEG XL files with abnormally large reported sizes in file metadata
- Evidence of heap corruption or buffer overflow in FFmpeg crash dumps
Detection Strategies
- Monitor FFmpeg process behavior for anomalous crashes or unexpected terminations during JPEG XL processing
- Implement file integrity checks to identify JPEG XL files with manipulated size headers
- Deploy runtime application self-protection (RASP) to detect integer overflow exploitation attempts
- Use SentinelOne behavioral AI to identify post-exploitation activity following potential code execution
Monitoring Recommendations
- Enable detailed logging for all FFmpeg operations, particularly those involving JPEG XL format handling
- Set up alerting for repeated FFmpeg process failures processing files from untrusted sources
- Monitor network traffic for incoming JPEG XL files from suspicious sources
- Implement file scanning for known malicious JPEG XL samples targeting this vulnerability
How to Mitigate CVE-2024-22860
Immediate Actions Required
- Upgrade FFmpeg to version n6.1 or later immediately across all affected systems
- Audit all systems and applications that embed or depend on FFmpeg for JPEG XL processing capabilities
- Implement network-level filtering for JPEG XL files from untrusted sources until patching is complete
- Review application logs for evidence of exploitation attempts prior to patching
Patch Information
The vulnerability has been addressed in FFmpeg commit d2e8974699a9e35cc1a926bf74a972300d629cd5. This patch adds validation to ensure file sizes do not exceed INT_MAX before proceeding with buffer operations. Organizations should update to FFmpeg version n6.1 or apply the specific commit to their FFmpeg builds. The fix is available in the official FFmpeg repository.
Workarounds
- Disable JPEG XL animation decoding in FFmpeg configurations where this format is not required
- Implement input validation at the application layer to reject JPEG XL files with suspicious size characteristics
- Use sandboxing or containerization to isolate FFmpeg processes handling untrusted media files
- Apply address space layout randomization (ASLR) and other exploit mitigations to reduce successful exploitation impact
# Configuration example - Rebuild FFmpeg without JPEG XL support as temporary mitigation
./configure --disable-decoder=jpegxl
make && make install
# Alternatively, verify your FFmpeg version includes the fix
ffmpeg -version | grep -E "^ffmpeg version"
# Ensure version is n6.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
