Updated ffmpeg packages fix security vulnerabilities
Publication date: 26 May 2026Modification date: 26 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-30997 , CVE-2026-40962
Description
An out-of-bounds read in the read_global_param() function
(libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a
Denial of Service (DoS) via a crafted input. (CVE-2026-30997)
FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds
write via CENC (Common Encryption) subsample data to libavformat/mov.c.
(CVE-2026-40962)
References
- https://bugs.mageia.org/show_bug.cgi?id=35546
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4TOCC22G6AHEU62PA7DQARAPJYTW6XSE/
- https://excellent-oatmeal-319.notion.site/CVE-2026-30997-Out-of-Bounds-Access-a7929817b9794568b2f7774397c7d65f
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-30997
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40962
SRPMS
9/core
- ffmpeg-5.1.9-1.mga9
9/tainted
- ffmpeg-5.1.9-1.mga9.tainted