VDB

CVE-2020-13904

CVE-2020-13904 PUBLISHED

FFmpeg 2.8 and 4.2.3 has a use-after-free via a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in libavformat/format.c.

EPSS 0.25% · 48.8th percentile

Risk Scores

EPSS Score
0.25%
48.8th percentile

Affected Products

VendorProductVersions
Ubuntu:18.04:LTSffmpeg0, 7:3.3.4-2, 7:3.3.4-2build3
Ubuntu:16.04:LTSffmpeg*, 7:2.8.10-0ubuntu0.16.04.1, 7:2.8.11-0ubuntu0.16.04.1
Ubuntu:20.04:LTSffmpeg7:4.2.1-2, 7:4.2.1-2ubuntu1, *

Timeline

  • Jun 7, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score
  • Nov 6, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›