CVE-2025-8584
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability classified as problematic was found in libav up to 12.3. Affected by this vulnerability is the function av_buffer_unref of the file libavutil/buffer.c of the component AVI File Parser. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The bug was initially reported by the researcher to the wrong project. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-05
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2025-08-05
EPSS Evaluated
2026-05-25
NVD
CVE-2025-8584
EUVD
EUVD-2025-23644
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libav libav to 12.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8584 is a vulnerability in libav (up to version 12.3) affecting the AVI File Parser component, specifically the function av_buffer_unref in libavutil/buffer.c. It is a null pointer dereference issue where the software attempts to use a pointer that is NULL, causing the application to crash or exit unexpectedly. This happens when processing malformed AVI files encoded with the CFHD codec, due to the buffer management code calling a null release function pointer during cleanup. Exploitation requires local access and is considered easy to perform. The affected versions are no longer supported, and no known mitigations exist. [1, 2]


How can this vulnerability impact me? :

This vulnerability can cause denial of service by crashing the application (libav) when it processes specially crafted malformed AVI files. This crash results from a null pointer dereference during buffer cleanup, leading to a segmentation fault. Since exploitation requires local access, an attacker with such access can cause the application to terminate unexpectedly, impacting availability of the service or software relying on libav. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to process a malformed AVI file encoded with the CFHD codec using the avconv tool from libav. A command to trigger the vulnerability and observe a crash (segmentation fault) is: avconv -i malformed_cfhd.avi -f null - If the program crashes with a segmentation fault, it indicates the presence of the vulnerability. A proof-of-concept malformed AVI file is publicly available for testing. [2]


What immediate steps should I take to mitigate this vulnerability?

There are no known countermeasures or mitigations for this vulnerability as the affected libav versions are no longer supported by the maintainer. The suggested immediate step is to replace libav with an alternative product to avoid exposure to this vulnerability. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart