Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-22860

CVE-2024-22860: FFmpeg JPEG XL RCE Vulnerability

CVE-2024-22860 is an integer overflow RCE flaw in FFmpeg's JPEG XL Animation decoder that enables remote attackers to execute arbitrary code. This article covers the technical details, affected versions, and mitigation strategies.

Updated:

CVE-2024-22860 Overview

CVE-2024-22860 is an integer overflow vulnerability [CWE-190] in FFmpeg versions before n6.1. The flaw resides in the jpegxl_anim_read_packet component within the JPEG XL Animation decoder. Remote attackers can trigger the overflow by supplying a crafted JPEG XL animation file, leading to arbitrary code execution in the process consuming the media. FFmpeg is embedded across browsers, media servers, transcoding pipelines, and desktop applications, expanding the attack surface significantly. The issue was disclosed through Chromium's OSS-Fuzz program and patched upstream in commit d2e8974.

Critical Impact

Remote attackers can execute arbitrary code by delivering a malicious JPEG XL animation file to any application using a vulnerable FFmpeg build, with no authentication or user interaction required.

Affected Products

  • FFmpeg versions prior to n6.1
  • FFmpeg 6.1 (per CPE cpe:2.3:a:ffmpeg:ffmpeg:6.1:*:*:*:*:*:*:*)
  • Applications, services, and libraries bundling vulnerable FFmpeg builds with JPEG XL animation decoding enabled

Discovery Timeline

  • 2024-01-27 - CVE-2024-22860 published to NVD
  • 2025-08-11 - Last updated in NVD database

Technical Details for CVE-2024-22860

Vulnerability Analysis

The vulnerability is an integer overflow in the JPEG XL animation demuxer (libavformat/jpegxl_anim_dec.c). The function jpegxl_anim_read_packet calls avio_size(pb) to retrieve the input size as an int64_t. The returned value is later assigned or passed to allocation paths that expect an int. When a crafted input reports a size larger than INT_MAX, the truncated value becomes negative or wraps around, breaking subsequent length and buffer arithmetic.

The downstream effect is a memory corruption primitive that an attacker controls through the input file. Because FFmpeg is widely embedded as a library in media playback, transcoding, and server-side processing pipelines, any component that decodes attacker-supplied JPEG XL animation data inherits the flaw.

Root Cause

The root cause is missing bounds validation on the file size returned by avio_size() before it is used in size-sensitive logic. FFmpeg did not enforce that the returned int64_t fits within INT_MAX, allowing arithmetic on the value to overflow signed integer types.

Attack Vector

Exploitation is network-reachable. An attacker delivers a malicious JPEG XL animation file through any channel that feeds untrusted media into FFmpeg: a web upload endpoint, an email attachment processed server-side, a browser loading remote content, or a transcoding service. No privileges or user interaction beyond opening the file are required.

c
// Patch from libavformat/jpegxl_anim_dec.c (commit d2e8974)
     size = avio_size(pb);
     if (size < 0)
         return size;
+    if (size > INT_MAX)
+        return AVERROR(EDOM);
     if (size == 0)
         size = 4096;

Source: GitHub FFmpeg Commit d2e8974

The patch adds an explicit check that rejects inputs whose size exceeds INT_MAX, returning AVERROR(EDOM) before the value can flow into vulnerable arithmetic.

Detection Methods for CVE-2024-22860

Indicators of Compromise

  • Unexpected crashes, segmentation faults, or assertion failures in processes linked against libavformat when handling .jxl files
  • FFmpeg child processes spawning shells, network connections, or writing to unusual filesystem paths
  • Inbound JPEG XL animation files from untrusted sources targeting media upload or transcoding endpoints
  • FFmpeg binary versions reporting strings earlier than n6.1 in production deployments

Detection Strategies

  • Inventory all software bundling FFmpeg using SBOM analysis and identify versions prior to n6.1
  • Inspect media intake pipelines for JPEG XL files and validate them against the patched decoder before processing
  • Hunt for anomalous process lineage where ffmpeg, ffprobe, or applications embedding libavformat launch shells or network tools
  • Monitor for crash telemetry referencing jpegxl_anim_read_packet or jpegxl_anim_dec.c in stack traces

Monitoring Recommendations

  • Enable core dump collection and crash reporting for any service that decodes user-supplied media
  • Log file types and source IPs at media upload endpoints to support retrospective hunting
  • Correlate FFmpeg process activity with outbound network connections and child-process creation events

How to Mitigate CVE-2024-22860

Immediate Actions Required

  • Upgrade FFmpeg to version n6.1 or later on all systems, including bundled and statically linked copies
  • Audit third-party applications that embed FFmpeg and apply vendor updates that incorporate the fix
  • Restrict acceptance of JPEG XL animation files at network and application boundaries until patching is complete
  • Run media-processing services as unprivileged users inside sandboxes or containers to limit exploitation impact

Patch Information

The fix is upstream commit d2e8974699a9e35cc1a926bf74a972300d629cd5 in the FFmpeg repository, included in the n6.1 release. The patch adds an INT_MAX bounds check on the value returned by avio_size() in libavformat/jpegxl_anim_dec.c. See the GitHub FFmpeg Commit d2e8974 and the Chromium OSS-Fuzz Issue #61991 for full technical context.

Workarounds

  • Disable the JPEG XL animation demuxer at build time when patching is not immediately possible
  • Block uploads and processing of files with the image/jxl MIME type and .jxl extension at the gateway
  • Process untrusted media inside isolated sandboxes with no network egress and minimal filesystem access
  • Apply file-size limits at the application layer to reject oversized inputs before they reach the decoder
bash
# Build FFmpeg without the JPEG XL animation demuxer as a workaround
./configure --disable-demuxer=jpegxl_anim
make && make install

# Verify the installed FFmpeg version is n6.1 or later
ffmpeg -version | head -n 1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.