CVE-2025-63757

Published Dec 18, 2025

Last updated 2 months ago

CVSS high 7.5

Overview

Description
Integer overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0.
Source
cve@mitre.org
NVD status
Analyzed
Products
ffmpeg

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-190

Social media

Hype score
Not currently trending

  1. FFmpeg affected by Integer Overflow vulnerability (CVE-2025-63757). Monitor vendor channels for updates and apply security best practices to mitigate risk. https://t.co/S0jnM5UmQK

    @pulsepatchio

    20 Dec 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A flaw was found in FFmpeg’s TensorFlow backend within the libavfilter/dnn_backend_tf.c source file. The issue occurs in the dnn_execute_model_tf() function, where a task object is freed multiple times in certain error-handling paths. This redundant memory deallocation can lead to a double-free condition, potentially causing FFmpeg or any application using it to crash when processing TensorFlow-based DNN models. This results in a denial-of-service scenario but does not allow arbitrary code execution under normal conditions.CVE-2025-12343
  2. A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.CVE-2025-10256
  3. A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.CVE-2025-1594
  4. FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c.CVE-2025-25469
  5. FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c.CVE-2025-25468

References

Sources include official advisories and independent security research.