CVE-2024-35365 Overview
CVE-2024-35365 is a double-free vulnerability in FFmpeg version n6.1.1. The flaw resides in the new_stream_audio function within the fftools/ffmpeg_mux_init.c component. An attacker can trigger the issue by supplying crafted input to a vulnerable FFmpeg build, causing the same memory region to be freed twice during audio stream initialization. Successful exploitation can lead to memory corruption, denial of service, or arbitrary code execution within the context of the FFmpeg process. This vulnerability is classified under [CWE-415] (Double Free).
Critical Impact
Exploitation of this double-free can corrupt heap metadata and may allow code execution against any application or pipeline that processes untrusted media using FFmpeg 6.1.1.
Affected Products
- FFmpeg n6.1.1
- Applications and services that embed or invoke FFmpeg 6.1.1 for media processing
- Build pipelines and transcoding workflows using the vulnerable fftools/ffmpeg_mux_init.c code path
Discovery Timeline
- 2025-01-03 - CVE-2024-35365 published to NVD
- 2025-06-03 - Last updated in NVD database
Technical Details for CVE-2024-35365
Vulnerability Analysis
The vulnerability exists in the new_stream_audio function defined in fftools/ffmpeg_mux_init.c at the audio stream initialization path. During error handling, a pointer used for audio stream option parsing is freed twice along divergent code paths. When FFmpeg processes specially crafted media input that triggers the error branch, the second free operates on a dangling pointer.
Double-free conditions corrupt heap allocator metadata. On glibc-based systems this can produce arbitrary write primitives, leading to denial of service or code execution depending on heap layout and allocator state. The flaw is reachable through normal media handling, so any workflow that pipes untrusted files into FFmpeg 6.1.1 is exposed.
Root Cause
The root cause is improper ownership tracking of dynamically allocated option strings during audio stream construction. The patch introduces an explicit apad pointer initialization to disambiguate the lifetime of the allocation and prevent the duplicate av_free/av_freep call on the same buffer during error cleanup.
Attack Vector
The attack vector is network-reachable but requires user interaction, such as opening or transcoding an attacker-supplied media file. A remote attacker hosting a malicious file, or one able to inject content into a transcoding pipeline, can trigger the vulnerable code path without authentication.
int channels = 0;
char *layout = NULL;
char *sample_fmt = NULL;
+ const char *apad = NULL;
MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st);
if (channels) {
Source: FFmpeg commit ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5
The patch adds explicit initialization of the apad pointer to NULL, ensuring deterministic cleanup behavior and removing the double-free condition in new_stream_audio.
Detection Methods for CVE-2024-35365
Indicators of Compromise
- Unexpected crashes or SIGABRT signals from FFmpeg processes with glibc messages such as double free or corruption and free(): invalid pointer.
- Core dumps referencing new_stream_audio or ffmpeg_mux_init.c in the call stack.
- Anomalous media files submitted to transcoding services that consistently trigger FFmpeg termination.
Detection Strategies
- Inventory all hosts, containers, and build artifacts that ship FFmpeg 6.1.1 using software composition analysis tools.
- Monitor process telemetry for abnormal exit codes and segmentation faults originating from ffmpeg and linked binaries that wrap libavformat.
- Inspect media ingestion pipelines for repeated failures tied to specific uploaded files and quarantine those samples for analysis.
Monitoring Recommendations
- Enable heap hardening diagnostics such as MALLOC_CHECK_=3 or AddressSanitizer in non-production environments to surface heap corruption early.
- Alert on FFmpeg child processes spawning unexpected shells, network connections, or file writes outside the configured working directory.
- Forward FFmpeg and host audit logs to a centralized analytics platform and correlate crash events with file hashes of input media.
How to Mitigate CVE-2024-35365
Immediate Actions Required
- Upgrade FFmpeg to a build that includes commit ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5 or a later release that incorporates the fix.
- Audit container images, CI/CD pipelines, and third-party applications for bundled copies of FFmpeg 6.1.1 and rebuild against patched sources.
- Restrict who can submit media to FFmpeg-backed services until the upgrade is complete.
Patch Information
The fix is available in the upstream FFmpeg repository via the commit referenced in the FFmpeg Commit Update. The change initializes apad and corrects the cleanup logic in new_stream_audio within fftools/ffmpeg_mux_init.c. Downstream distributions should pull the patched commit or rebase onto a fixed release branch.
Workarounds
- Run FFmpeg in a sandboxed environment with seccomp, AppArmor, or SELinux profiles to limit the impact of memory corruption.
- Reject or pre-validate untrusted media using a hardened parser before invoking FFmpeg 6.1.1.
- Disable audio stream processing options that exercise the new_stream_audio path when patching is not yet feasible.
# Verify the installed FFmpeg version and rebuild from patched source
ffmpeg -version | head -n 1
git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
git checkout ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5
./configure --prefix=/usr/local
make -j"$(nproc)" && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
