libav is a fork of FFmpeg that has not received any commits since April 2019 (https://github.com/libav/libav). Despite being unmaintained, it continues to be used as a dependency in some projects. It contains multiple security vulnerabilities that were discovered and fixed in FFmpeg after the fork diverged but will never be patched in libav.
This post documents the confirmed unpatched CVEs as a public record and to warn users still depending on libav. == Affected Software == Project : libav/libav URL : https://github.com/libav/libav Status : Unmaintained since April 2019 (FFmpeg fork) Fix : None expected. Migrate to FFmpeg. == CVE-2024-31578 — Use-After-Free in HEVC Decoder == Type : Use-After-Free (CWE-416) Location: libavcodec/hevcdec.c — set_sps() / hls_slice_header() Impact : Memory corruption via crafted HEVC stream When processing HEVC streams with mid-stream SPS (Sequence Parameter Set) changes, set_sps() may free reference frame data that is subsequently accessed by hls_slice_header(), leading to use-after-free. Confirmed present in libav's hevcdec.c via Docker build and code inspection. == CVE-2024-22862 — Integer Overflow in Media Demuxer == Type : Integer Overflow (CWE-190) Location: Media parsing / MOV/MP4 demuxer code Impact : Potential heap corruption via crafted media file libav contains the integer overflow vulnerability present in FFmpeg before the upstream fix. The vulnerable code path was confirmed via Docker build. == CVE-2024-31585 — Off-by-One Error in MXF Demuxer == Type : Off-by-One Error (CWE-193) Location: libavformat/mxfdec.c Impact : Heap corruption via crafted MXF file The MXF demuxer off-by-one error inherited from FFmpeg is present in libav's mxfdec.c. Confirmed via Docker build. == CVE-2025-22919 — Reachable Assertions in AAC Decoder == Type : Reachable Assertion / Abort (CWE-617) Location: libavcodec/aaccoder.c:509, libavcodec/aacpsy.c:490,492,823 Impact : Crash (DoS) via crafted AAC audio Docker build confirmed multiple bare assert() calls in the AAC decoder that can be triggered by crafted input: libavcodec/aaccoder.c:509 assert(idx >= 0); libavcodec/aacpsy.c:490 assert(bit_save <= 0.3f && ...); libavcodec/aacpsy.c:492 assert(bit_spend <= 0.5f && ...); libavcodec/aacpsy.c:823 assert(pch->prev_energy_subshort[...] > 0); Unlike upstream FFmpeg which uses av_assert (controlled by build flags), these are bare assert() calls that fire in standard release builds. == Recommendation == Users depending on libav should migrate to FFmpeg, which receives active security maintenance and has patches for all of the above CVEs. libav GitHub Issues are disabled and no security contact is available. This post serves as the public disclosure record.
