CVE-2024-35367 Overview
CVE-2024-35367 is a critical out-of-bounds read vulnerability affecting FFmpeg version n6.1.1. The flaw exists within the VP8 DSP AltiVec implementation, specifically in the libavcodec/ppc/vp8dsp_altivec.c file. This vulnerability occurs in the static constant h_subpel_filters_outer array handling, allowing attackers to read memory beyond intended boundaries when processing specially crafted media files.
Critical Impact
This vulnerability enables remote attackers to trigger out-of-bounds memory reads via maliciously crafted media content, potentially leading to sensitive information disclosure or application crashes affecting systems running FFmpeg on PowerPC architectures with AltiVec support.
Affected Products
- FFmpeg n6.1.1
- Systems running FFmpeg with PowerPC AltiVec optimizations enabled
- Applications and services utilizing vulnerable FFmpeg versions for media processing
Discovery Timeline
- 2024-11-29 - CVE CVE-2024-35367 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-35367
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), a memory safety issue that occurs when the software reads data past the end or before the beginning of an allocated buffer. In the context of CVE-2024-35367, the vulnerability manifests in FFmpeg's VP8 video decoder implementation optimized for PowerPC processors with AltiVec SIMD extensions.
The vulnerable code path involves the h_subpel_filters_outer constant used in horizontal subpixel filtering operations during VP8 video decoding. When processing certain VP8 video streams, the decoder may access memory locations outside the bounds of this filter array, leading to information disclosure or denial of service conditions.
Root Cause
The root cause of this vulnerability lies in improper bounds checking within the VP8 DSP AltiVec implementation. The h_subpel_filters_outer static constant array at line 53 of vp8dsp_altivec.c does not properly validate index values before accessing array elements. This allows malformed VP8 video data to trigger reads beyond the allocated memory region for the filter coefficients.
The vulnerability is specific to the PowerPC AltiVec optimized code path, meaning systems using x86/x64 or ARM architectures may not be directly affected by this particular code path, though they may have similar issues in their respective optimized implementations.
Attack Vector
The attack vector for CVE-2024-35367 is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious VP8 video file or stream with specific subpixel filter parameters
- Delivering the malicious content to a target system running vulnerable FFmpeg versions
- Triggering the out-of-bounds read when FFmpeg processes the VP8 video content
The vulnerability can be exploited in scenarios where FFmpeg processes untrusted media content, such as:
- Media streaming servers
- Video transcoding services
- Web applications with video processing capabilities
- Desktop media players using FFmpeg libraries
The vulnerability affects the libavcodec/ppc/vp8dsp_altivec.c file in the FFmpeg codebase. Technical details of the vulnerable code path can be found in the FFmpeg Source Code. The fix involves proper bounds validation for array access operations in the subpixel filtering routines.
Detection Methods for CVE-2024-35367
Indicators of Compromise
- Unexpected FFmpeg process crashes during VP8 video processing operations
- Memory access violations or segmentation faults in FFmpeg logs when handling VP8 content
- Abnormal memory read patterns detected by memory safety tools such as AddressSanitizer
- Unusual network traffic involving malformed VP8 video streams targeting media processing infrastructure
Detection Strategies
- Deploy runtime memory safety monitoring on systems running FFmpeg with PowerPC AltiVec support
- Implement logging and alerting for FFmpeg process crashes or unexpected terminations
- Use SentinelOne's behavioral AI to detect anomalous memory access patterns during media processing
- Monitor for exploitation attempts by analyzing incoming media file structures for VP8 anomalies
Monitoring Recommendations
- Enable verbose logging for FFmpeg media processing operations on critical systems
- Implement file integrity monitoring for FFmpeg binary and library files
- Deploy network traffic analysis to detect malformed VP8 video streams entering the environment
- Configure SentinelOne endpoint agents to monitor FFmpeg process behavior for signs of memory corruption attacks
How to Mitigate CVE-2024-35367
Immediate Actions Required
- Update FFmpeg to a patched version that includes commit 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667
- Audit systems for FFmpeg installations running version n6.1.1 or earlier on PowerPC architectures
- Implement network segmentation for media processing infrastructure to limit attack surface
- Consider disabling AltiVec optimizations temporarily if immediate patching is not possible
Patch Information
FFmpeg has released a fix for this vulnerability. The patch is available in the FFmpeg Commit Changes. Debian has also issued security updates as documented in the Debian LTS Announcement.
Organizations should prioritize applying this patch to systems running FFmpeg on PowerPC architecture with AltiVec support, particularly those processing untrusted media content from external sources.
Workarounds
- Disable VP8 decoding support in FFmpeg configurations if not required for operations
- Compile FFmpeg without PowerPC AltiVec optimizations using appropriate build flags
- Implement input validation and sandboxing for media processing operations
- Use application-level firewalls to filter potentially malicious VP8 content before it reaches FFmpeg
# Configuration example - Rebuild FFmpeg without AltiVec optimizations
./configure --disable-altivec --disable-vsx
make clean && make
make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
