CVE-2024-22861 Overview
CVE-2024-22861 is an integer overflow vulnerability affecting FFmpeg versions prior to n6.1. The flaw resides in the avcodec/osq module, which handles OSQ (Original Sound Quality) audio decoding. Attackers can trigger the overflow by supplying crafted media input, causing a denial of service (DoS) in applications that rely on FFmpeg for audio processing. The vulnerability is classified under CWE-190 (Integer Overflow or Wraparound). FFmpeg is widely embedded across media players, streaming platforms, transcoding pipelines, and server-side processing tools, expanding the potential attack surface.
Critical Impact
Remote attackers can crash FFmpeg-based services by delivering a malicious media stream, disrupting transcoding, streaming, and playback workloads without requiring authentication or user interaction.
Affected Products
- FFmpeg versions prior to n6.1
- FFmpeg 6.1 (per NVD CPE record)
- Downstream applications and services that bundle vulnerable FFmpeg builds for media decoding
Discovery Timeline
- 2024-01-27 - CVE-2024-22861 published to NVD
- 2025-08-11 - Last updated in NVD database
Technical Details for CVE-2024-22861
Vulnerability Analysis
The vulnerability stems from improper bounds handling inside FFmpeg's avcodec/osq decoder. When the module computes size or offset values derived from attacker-controlled fields in an OSQ-formatted stream, arithmetic operations exceed the maximum representable integer value. The resulting wraparound produces undersized allocations or invalid loop boundaries during decoding.
Downstream code then operates on these corrupted values, leading to abnormal program states and a process crash. Because FFmpeg often runs as a long-lived service or batch worker, a single malformed input can interrupt an entire media processing pipeline. The flaw does not require authentication and can be triggered by any source capable of supplying input to a vulnerable decoder.
Root Cause
The root cause is an unchecked integer arithmetic operation in the OSQ decoding path. The decoder fails to validate that computed values remain within the bounds of the underlying integer type before they are used in allocation or iteration logic. The upstream fix is recorded in the FFmpeg commit 87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce, which tightens validation in the osq module.
Attack Vector
The attack vector is network-reachable in any deployment where FFmpeg consumes externally supplied media. Examples include user-uploaded files in transcoding services, streaming ingestion endpoints, and media-rendering web applications. The attacker crafts an OSQ stream with field values designed to overflow internal size calculations and submits it for processing. Successful exploitation produces a denial of service against the decoding process. Confidentiality and integrity are not affected based on the CVSS impact metrics.
No public proof-of-concept exploit is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2024-22861
Indicators of Compromise
- Unexpected crashes or segmentation faults in ffmpeg, ffprobe, or applications linking libavcodec
- Repeated decoder failures referencing the osq module in application or service logs
- Spikes in process restarts on media transcoding workers handling untrusted input
Detection Strategies
- Inventory all systems running FFmpeg and compare installed versions against the patched release n6.1 or later
- Inspect media ingestion pipelines for OSQ-formatted streams from untrusted sources
- Monitor for abnormal termination signals on processes invoking libavcodec decoders
Monitoring Recommendations
- Forward FFmpeg process telemetry, including exit codes and crash dumps, to a centralized logging system
- Alert on elevated rates of decoder errors associated with audio codec processing
- Track resource consumption patterns of media workers to detect repeated DoS attempts
How to Mitigate CVE-2024-22861
Immediate Actions Required
- Upgrade FFmpeg to version n6.1 or later on all affected systems and container images
- Rebuild and redeploy applications that statically link or bundle vulnerable libavcodec builds
- Restrict acceptance of OSQ-format audio streams from untrusted sources until patching is complete
Patch Information
The fix is committed upstream in the FFmpeg repository. Apply the changes from the FFmpeg patch commit 87b8c108 or upgrade to FFmpeg n6.1. Distribution maintainers have backported the fix into supported package channels; verify your package manager reports a patched version before redeployment.
Workarounds
- Disable OSQ decoding support at build time if it is not required by your workload
- Sandbox FFmpeg execution using process isolation so that decoder crashes do not affect parent services
- Validate and filter incoming media file types and codecs at the application boundary before invoking FFmpeg
# Verify installed FFmpeg version and confirm the patched release is present
ffmpeg -version | head -n 1
# Expected output should report version n6.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
