CVE-2025-69693
Received Received - Intake
Out-of-Bounds Read in FFmpeg RV60 Decoder Causes Memory Crash

Publication date: 2026-03-16

Last updated on: 2026-03-19

Assigner: MITRE

Description
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69693
EUVD
EUVD-2025-208761
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ffmpeg ffmpeg 8.0
ffmpeg ffmpeg 8.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds read in the FFmpeg 8.0 and 8.0.1 RV60 video decoder, specifically in the file libavcodec/rv60dec.c. The issue arises because the quantization parameter (qp) validation only checks if qp is less than 0 but does not check if qp exceeds the upper bound.

The qp value can reach 65 due to the combination of a base value from the 6-bit frame header (maximum 63) plus an offset of 2. However, the array rv60_qp_to_idx, which qp indexes into, only has 64 elements (indices 0 to 63). This causes out-of-bounds array access in several functions (decode_cbp8, decode_cbp16, and get_c4x4_set), which can lead to memory disclosure or crashes.

A previous fix addressed validation only for intra frames, but this vulnerability affects all frames. The issue is fixed in the git master branch with an added upper bound check on qp to prevent it from exceeding 63.

Impact Analysis

This vulnerability can lead to out-of-bounds memory access during video decoding, which may cause memory corruption or application crashes.

Such memory corruption could potentially be exploited to disclose sensitive information from memory or cause denial of service by crashing the application using the vulnerable FFmpeg versions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade FFmpeg to a version that includes the fix for CVE-2025-69693.

The vulnerability affects FFmpeg versions 8.0 and 8.0.1. The fix is included in the git master commit 8abeb879df and will be part of FFmpeg 8.1.

Until you can upgrade, avoid processing untrusted RV60 video streams with vulnerable FFmpeg versions to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart