VDB
DEBIAN-CVE-2025-10256
DEBIAN-CVE-2025-10256
PUBLISHED
CVSS 5.5 MEDIUM
A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.
Risk Scores
CVSS 3.1
5.5
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | ffmpeg | 0, 7.1.1-1, 0 |
| Debian:11 | ffmpeg | 4.3.5-0, 4.3.6-0, 4.3.7-0 |
| Debian:12 | ffmpeg | 7:7.0.1-4, 7:7.0.1-5, 7:7.0.2-1 |
| Debian:14 | ffmpeg | 7.1.1-1, 0, 7:7.1.1-1 |
Exploit Intelligence
- ghost_report_20260130_122052.json (github-poc)
- unix-ci.py (github-poc)
- ghost_report_20260112_192608.json (github-poc)
- ghost_report_20260112_175243.json (github-poc)
- ghost_report_20260112_182220.json (github-poc)
- ghost_report_20260113_010235.json (github-poc)
- ghost_report_20260112_182638.json (github-poc)
Timeline
- Feb 18, 2026 CVE Published
- Apr 28, 2026 CVE Updated