CVE-2025-22919: Reachable Assertion Vulnerability in FFmpeg for AAC Files Leading to Denial of Service Attack

A recently identified vulnerability, CVE-2025-22919, in FFmpeg's git-master commit N-113007-g8d24a28d06 enables attackers to cause a Denial of Service (DoS) attack by utilizing a crafted Advanced Audio Codec (AAC) file. In this post, we will delve into the specifics of this vulnerability, showcase the relevant code snippet, provide links to the original source material, and detail exploit procedures.

Vulnerability: CVE-2025-22919

FFmpeg is a popular, open-source library designed for processing multimedia files—including decoding, encoding, transcoding, and streaming—and is utilized for processing video and audio across a broad ecosystem of software. FFmpeg's git-master commit N-113007-g8d24a28d06 has been identified to contain a reachable assertion vulnerability that impacts the handling of AAC files. Crafted specifically by a malicious actor, these AAC files can instigate a Denial of Service (DoS) attack when opened on the affected systems.

The CVE-2025-22919 vulnerability stems from an incorrect implementation in FFmpeg's AAC decoding logic. As a result, the impacted system is vulnerable to a DoS attack when processing a malicious AAC file designed to exploit this flaw. The DoS attack can lead to disrupted service or functionality, causing significant impacts on user experience and system performance.

Below, we have included the relevant code snippet from the affected FFmpeg commit N-113007-g8d24a28d06. The error arises due to a faulty 'assert' statement that is reachable when processing specific AAC files.

Code Snippet

static void decode_prediction(AACContext *ac, IndividualChannelStream *ics,
                      ChannelElement *cpe)
{
    ...

    // Faulty assert statement
    av_assert1(icg->num_win_group >  && icg->num_win_group <= 8);
   
    ...
}

Exploit Details

The current vulnerability derives from the 'assert' statement's ability to be "reachable" during the processing of a particular AAC file. In the prevailing programming logic, an "assert" statement is meant to verify that an expression holds true; in this case, the 'num_win_group' parameter should fall within the range of 1-8. When an "assert" statement is false, the system terminates abnormally, resulting in a DoS attack.

To carry out the exploit, an attacker needs to craft an AAC file with an 'icg->num_win_group' value outside the acceptable range of 1-8, ultimately causing the 'assert' statement to fail. Consequently, when the malicious AAC file is processed by FFmpeg, it triggers the DoS attack and compromises the impacted system's performance and functionality.

Original References

The original source for CVE-2025-22919, detailing the vulnerability, can be found in the following locations:

- FFmpeg Git Repository: N-113007-g8d24a28d06 Commit
- National Vulnerability Database (NVD) CVE-2025-22919

Conclusion

CVE-2025-22919 exposes a potentially impactful vulnerability within FFmpeg's git-master commit N-113007-g8d24a28d06, allowing attackers to exploit an incorrect implementation and execute a Denial of Service attack. To mitigate the risk, users should remain vigilant regarding the potential threats that crafted AAC files can pose and update their FFmpeg software to the latest version, as the library is continuously being improved.

Timeline

Published on: 02/18/2025 23:15:10 UTC
Last modified on: 02/19/2025 22:15:23 UTC