CVE-2025-7700 Overview
CVE-2025-7700 is a null pointer dereference vulnerability [CWE-476] in the FFmpeg Audio Lossless (ALS) audio decoder. The decoder fails to verify the return values of memory allocation calls such as av_malloc_array() and av_calloc(). When these allocations fail, subsequent access to the resulting null pointers crashes the process. Attackers can trigger the crash by supplying a malformed ALS audio file to any application that uses FFmpeg for media decoding. The flaw does not permit data theft or code execution, but it enables denial of service against media processing pipelines, streaming servers, and transcoding workers that rely on FFmpeg.
Critical Impact
Remote attackers can crash FFmpeg-based services by delivering a crafted ALS audio file, disrupting media processing workflows without authentication or user interaction.
Affected Products
- FFmpeg libavcodec — ALS decoder (libavcodec/alsdec.c)
- Downstream distributions packaging vulnerable FFmpeg builds (see Red Hat advisory)
- Applications and services that link against affected libavcodec versions
Discovery Timeline
- 2025-11-07 - CVE-2025-7700 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-7700
Vulnerability Analysis
The ALS decoder in libavcodec/alsdec.c allocates multiple per-frame buffers when initializing decoder state. The original code checked only a subset of the returned pointers for NULL before continuing. When memory pressure or crafted input caused allocations for ctx->larray or ctx->nbits to fail, the decoder proceeded and later dereferenced those null pointers.
The result is a process crash inside any FFmpeg consumer decoding the malicious stream. Because ALS parsing occurs before any authentication or content validation in most media pipelines, the attacker only needs to deliver the file to a decoding endpoint. Repeated submission of malformed files can sustain a denial-of-service condition against transcoding queues, streaming ingest, and thumbnail generators.
Root Cause
The root cause is missing return-value validation for heap allocation primitives. FFmpeg's contract requires callers to check every allocator result, but the ALS initialization path omitted checks for two of the allocated arrays. On failure, dereferencing the unchecked pointer produces a segmentation fault [CWE-476].
Attack Vector
Exploitation requires no privileges and no user interaction beyond the target process opening the audio input. An attacker uploads or streams a crafted ALS file to a service that invokes FFmpeg for decoding, transcoding, or metadata extraction. The crash impacts availability only; confidentiality and integrity are not affected.
// Source: https://github.com/FFmpeg/FFmpeg/commit/35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07
// Patch adds missing NULL checks for ctx->larray and ctx->nbits
ctx->nbits = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits));
ctx->mlz = av_mallocz(sizeof(*ctx->mlz));
- if (!ctx->mlz || !ctx->acf || !ctx->shift_value || !ctx->last_shift_value
- || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
+ if (!ctx->larray || !ctx->nbits || !ctx->mlz || !ctx->acf || !ctx->shift_value
+ || !ctx->last_shift_value || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
return AVERROR(ENOMEM);
}
Detection Methods for CVE-2025-7700
Indicators of Compromise
- Repeated SIGSEGV terminations of FFmpeg, ffprobe, or dependent worker processes when handling ALS content
- Error log entries containing Allocating buffer memory failed. from libavcodec
- Media pipeline job queues stalling on specific .als or ALS-in-MP4 inputs
Detection Strategies
- Monitor for abnormal exit codes and core dumps from any process linking libavcodec
- Alert on spikes in transcoding job failures or restart loops in media microservices
- Inspect uploaded audio files for ALS codec identifiers combined with malformed header fields before dispatch to decoders
Monitoring Recommendations
- Track libavcodec version inventory across servers and containers to identify unpatched hosts
- Correlate crash telemetry with the source of the input file to trace potentially malicious submitters
- Enable rate limiting and per-source anomaly detection on media ingest endpoints
How to Mitigate CVE-2025-7700
Immediate Actions Required
- Update FFmpeg to a build that includes commit 35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07 or the vendor-supplied backport
- Apply distribution updates referenced in the Red Hat CVE-2025-7700 Advisory
- Rebuild and redeploy container images that bundle libavcodec
Patch Information
The upstream fix adds NULL checks for ctx->larray and ctx->nbits in the ALS decoder initialization path. See the GitHub FFmpeg commit and the Red Hat Bug Report #2380420 for backport tracking.
Workarounds
- Disable the ALS decoder at build time or via runtime codec allow-lists if ALS support is not required
- Reject ALS content at the application boundary until patches are deployed
- Run FFmpeg workers under process supervisors that automatically restart on crash to limit outage duration
# Example: restrict allowed decoders when invoking ffmpeg
ffmpeg -codec:a:0 none -vn -i input.m4a -f null -
# Example: rebuild FFmpeg without ALS support
./configure --disable-decoder=als
make && make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

