CVE-2024-35368 Overview
CVE-2024-35368 is a Double Free vulnerability affecting FFmpeg n7.0. The flaw exists within the rkmpp_retrieve_frame function in libavcodec/rkmppdec.c, where improper memory management can lead to a double free condition. This memory corruption vulnerability can be exploited remotely without authentication, potentially enabling attackers to execute arbitrary code, corrupt data, or cause denial of service conditions on systems processing malicious media files.
Critical Impact
This Double Free vulnerability in FFmpeg's Rockchip MPP decoder allows unauthenticated remote attackers to potentially achieve arbitrary code execution or crash applications by providing specially crafted media input to affected FFmpeg installations.
Affected Products
- FFmpeg version 7.0
- Applications and systems utilizing FFmpeg 7.0 with Rockchip MPP hardware decoding support
- Debian-based distributions with vulnerable FFmpeg packages
Discovery Timeline
- 2024-11-29 - CVE-2024-35368 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-35368
Vulnerability Analysis
This vulnerability is classified as CWE-415 (Double Free), a memory corruption flaw that occurs when the free() function is called twice on the same memory address. In the context of FFmpeg's rkmpp_retrieve_frame function, the issue arises during error handling in the Rockchip MPP hardware decoder implementation.
When an error occurs during frame buffer reference allocation (specifically when av_buffer_ref(decoder->frames_ref) fails), the original code path would jump to a fail label that would attempt to free resources that may have already been partially cleaned up. This creates a scenario where the same memory can be freed twice, leading to heap corruption.
Double free vulnerabilities are particularly dangerous because they can corrupt the heap's metadata structures, potentially allowing an attacker to overwrite arbitrary memory locations during subsequent memory allocations. This can be leveraged to achieve code execution by carefully controlling the heap state and subsequent allocations.
Root Cause
The root cause lies in the error handling logic within the rkmpp_retrieve_frame function in libavcodec/rkmppdec.c. When av_buffer_ref() fails to allocate a buffer reference for frame->hw_frames_ctx, the code previously used a goto fail pattern that would attempt to clean up the frame. However, if the frame had already been partially initialized, this could result in attempting to free already-freed memory.
The vulnerable code path did not properly account for the state of the frame object during error conditions, leading to the double free scenario when memory allocation failed.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Crafting a malicious media file designed to trigger specific error conditions in the Rockchip MPP decoder
- Causing the av_buffer_ref() function to fail (e.g., through memory pressure or malformed input)
- Triggering the flawed error handling path that leads to a double free
- Potentially achieving heap corruption and subsequent code execution
The vulnerability can be triggered through any application using FFmpeg to process untrusted media content, including media players, transcoding services, and streaming applications.
// Security patch for CVE-2024-35368 - avcodec/rkmppdec: Fix double-free on error
// Source: https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c
frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
if (!frame->hw_frames_ctx) {
- ret = AVERROR(ENOMEM);
- goto fail;
+ av_frame_unref(frame);
+ return AVERROR(ENOMEM);
}
return 0;
The fix replaces the goto fail pattern with an immediate av_frame_unref(frame) call followed by a direct return. This ensures the frame is properly cleaned up exactly once before returning the error, eliminating the double free condition.
Detection Methods for CVE-2024-35368
Indicators of Compromise
- Unexpected crashes or segmentation faults in FFmpeg-based applications during media processing
- Heap corruption errors or memory-related exceptions in system logs when processing media files
- Unusual process behavior in applications utilizing FFmpeg's Rockchip MPP decoder
- Core dumps showing double free or heap corruption in rkmppdec.c related functions
Detection Strategies
- Monitor FFmpeg-based applications for abnormal termination patterns, particularly when processing video content
- Implement memory sanitizers (AddressSanitizer, Valgrind) in development and testing environments to detect double free conditions
- Deploy application crash monitoring to identify potential exploitation attempts
- Review system logs for segmentation faults or memory allocation errors associated with FFmpeg processes
Monitoring Recommendations
- Enable detailed logging for media processing applications to capture error conditions in decoder components
- Implement runtime application self-protection (RASP) to detect heap corruption attempts
- Monitor resource utilization for FFmpeg processes, as exploitation attempts may cause abnormal memory patterns
- Set up alerts for repeated crashes in media processing workflows that could indicate active exploitation
How to Mitigate CVE-2024-35368
Immediate Actions Required
- Update FFmpeg to a patched version that includes commit 4513300989502090c4fd6560544dce399a8cd53c
- Review systems using FFmpeg 7.0 with Rockchip MPP hardware decoding support and prioritize updates
- Implement input validation and sandboxing for media processing workflows handling untrusted content
- Consider temporarily disabling Rockchip MPP hardware decoding if updates cannot be immediately applied
Patch Information
FFmpeg has released a security patch addressing this vulnerability. The fix is available in FFmpeg commit 4513300989502090c4fd6560544dce399a8cd53c. Debian has also issued an advisory for affected packages, available in the Debian LTS Announcement.
Organizations should update their FFmpeg installations to include this fix. For those building from source, ensure the patched code is incorporated. Package-based installations should check for updated packages from their distribution.
Workarounds
- Disable Rockchip MPP hardware decoding by avoiding the -hwaccel rkmpp option or related configurations if not essential
- Process untrusted media files in sandboxed environments with restricted memory access
- Implement strict input validation to reject potentially malicious media files before processing
- Use containerization or virtualization to isolate FFmpeg processing from critical systems
# Example: Disable Rockchip MPP hardware acceleration in FFmpeg
# Instead of using hardware acceleration:
# ffmpeg -hwaccel rkmpp -i input.mp4 output.mp4
# Use software decoding as a workaround:
ffmpeg -i input.mp4 -c:v libx264 output.mp4
# Or explicitly disable hardware acceleration:
ffmpeg -hwaccel none -i input.mp4 output.mp4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
