CVE-2026-30998
Improper Resource Deallocation in FFmpeg zmqsend.c Causes DoS
Publication date: 2026-04-13
Last updated on: 2026-04-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ffmpeg | ffmpeg | to 8.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper resource deallocation and closure issue in the tools/zmqsend.c component of FFmpeg version 8.0.1. It occurs when the program processes a crafted input file, which can cause the application to improperly free or close resources.
Specifically, the vulnerability allows attackers to cause a Denial of Service (DoS) by supplying a specially crafted input file to the zmqsend tool, which is a utility that sends messages over a ZeroMQ socket as part of FFmpeg's inter-process communication.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a Denial of Service (DoS). An attacker can exploit this flaw by providing a crafted input file to the zmqsend tool, causing it to improperly deallocate or close resources, which may crash the application or cause it to become unresponsive.
This disruption can affect any system or service relying on FFmpeg's zmqsend utility for message sending over ZeroMQ sockets, potentially interrupting media processing workflows or inter-process communications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an improper resource deallocation and closure in the FFmpeg tool zmqsend.c when processing crafted input files, leading to a Denial of Service (DoS). Detection can focus on monitoring the use of the vulnerable FFmpeg version (v8.0.1) and the zmqsend tool, especially when it processes input files or receives messages over ZeroMQ sockets.
To detect potential exploitation attempts, you can monitor for crashes or abnormal termination of the zmqsend process, or unusual ZeroMQ traffic on the default bind address tcp://localhost:5555 or any custom address used.
Suggested commands to check for the presence and usage of the vulnerable tool and to monitor ZeroMQ traffic include:
- Check FFmpeg version installed: `ffmpeg -version` (look for version 8.0.1)
- Check if zmqsend tool is present and its version (if available): `which zmqsend` or `ffmpeg -h` to see if zmqsend is included
- Monitor running processes for zmqsend usage: `ps aux | grep zmqsend`
- Monitor ZeroMQ traffic on the default port (5555) or custom ports using network tools like `netstat -anp | grep 5555` or `ss -anp | grep 5555`
- Use logging or debugging to detect crashes or errors from zmqsend, for example by running zmqsend with verbose logging or checking system logs for segmentation faults or abnormal exits.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include:
- Avoid using the vulnerable FFmpeg version 8.0.1, especially the zmqsend tool, until a patched version is available.
- Restrict or disable access to the zmqsend tool and its ZeroMQ bind address (default tcp://localhost:5555) to trusted users and processes only.
- Do not process untrusted or crafted input files with the vulnerable zmqsend tool.
- Monitor and log usage of zmqsend and ZeroMQ traffic to detect any suspicious activity.
- Apply any available patches or updates from FFmpeg that address this vulnerability once released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information about the vulnerability in FFmpeg's tools/zmqsend.c component does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.