CVE-2025-69693 Overview
CVE-2025-69693 is an out-of-bounds read vulnerability affecting the RV60 video decoder in FFmpeg versions 8.0 and 8.0.1. The flaw exists in libavcodec/rv60dec.c where the quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. This allows an attacker to craft a malicious RV60 video file that triggers out-of-bounds array access, potentially leading to memory disclosure or application crash.
Critical Impact
Processing maliciously crafted RV60 video files can cause out-of-bounds memory read, potentially exposing sensitive memory contents or causing denial of service through application crash.
Affected Products
- FFmpeg 8.0 (released 2025-08-22)
- FFmpeg 8.0.1 (released 2025-11-20)
Discovery Timeline
- 2026-03-16 - CVE-2025-69693 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-69693
Vulnerability Analysis
The vulnerability resides in the RV60 video decoder component of FFmpeg. The root issue is that the quantization parameter (qp) can reach a value of 65, calculated as a base value of 63 from the 6-bit frame header plus an offset of +2 from the read_qp_offset function. However, the rv60_qp_to_idx array has a size of only 64 elements, meaning valid indices range from 0 to 63. When the qp value exceeds 63, out-of-bounds array access occurs at multiple locations in the codebase: line 1554 in decode_cbp8, line 1655 in decode_cbp16, and lines 1419/1421 in get_c4x4_set.
A previous fix in commit 61cbcaf93f attempted to address this issue but only added validation for intra frames, leaving the vulnerability exploitable through non-intra frame scenarios.
Root Cause
The root cause is incomplete input validation in the quantization parameter handling. The original validation code checked only for negative values (qp < 0) without enforcing an upper bound. Since the qp value is derived from user-controlled input in the video file header, an attacker can supply values that cause the parameter to exceed the valid array bounds.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious RV60 video file with a specially constructed frame header. When a victim processes this file using FFmpeg (either directly or through an application that uses FFmpeg's libavcodec library), the vulnerable decoder will read beyond the bounds of the rv60_qp_to_idx array. This can result in:
- Information Disclosure: Memory contents adjacent to the array may be leaked
- Denial of Service: The application may crash due to invalid memory access
The attack requires user interaction to process the malicious file, but the file could be delivered through various vectors including web downloads, email attachments, or media streaming applications.
ff_thread_progress_await(&s->progress[cu_y - 1], cu_x + 2);
qp = s->qp + read_qp_offset(&gb, s->qp_off_type);
- if (qp < 0) {
+ if (qp < 0 || qp >= 64) {
ret = AVERROR_INVALIDDATA;
break;
}
Source: GitHub FFmpeg Commit Change
Detection Methods for CVE-2025-69693
Indicators of Compromise
- Unexpected crashes in applications using FFmpeg when processing RV60 video files
- Memory access violations or segmentation faults in libavcodec/rv60dec.c
- Unusual process behavior following RV60 video file processing
Detection Strategies
- Monitor for crashes in FFmpeg-based applications with stack traces pointing to rv60dec.c
- Implement file integrity monitoring for media processing workflows
- Deploy endpoint detection rules that flag abnormal memory access patterns in media decoder processes
Monitoring Recommendations
- Enable verbose logging in media processing applications to capture decoder errors
- Monitor system logs for SIGSEGV or similar memory access violation signals from FFmpeg processes
- Track incoming media files and validate their sources before processing
How to Mitigate CVE-2025-69693
Immediate Actions Required
- Update FFmpeg to version 8.1 or later when available
- Apply the security patch from commit 8abeb879df to existing installations
- Restrict RV60 video decoding in untrusted environments until patched
Patch Information
The vulnerability is fixed in FFmpeg git master commit 8abeb879df66ea8d27ce1735925ced5a30813de4, which adds the missing upper bound check (qp >= 64) to the validation logic. This fix will be included in FFmpeg version 8.1. Organizations running FFmpeg 8.0 or 8.0.1 should apply this patch or upgrade when version 8.1 becomes available.
Workarounds
- Disable RV60 video decoding by excluding the RV60 decoder during FFmpeg compilation (--disable-decoder=rv60)
- Pre-validate media files in sandboxed environments before processing
- Implement input validation to reject RV60 files from untrusted sources
# Rebuild FFmpeg without RV60 decoder as a temporary workaround
./configure --disable-decoder=rv60
make && make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
