CVE-2026-40962: 
Ffmpeg 脆弱性の分析と軽減

CVE-2026-40962 is an integer overflow and out-of-bounds write vulnerability in FFmpeg's libavformat/mov.c, triggered via CENC (Common Encryption) subsample data when processing crafted media files. It affects all FFmpeg versions before 8.1, with affected product versions noted as 4.1 through pre-8.1 (GitHub Advisory, Red Hat Bugzilla). The vulnerability was published on April 16, 2026. CVSS scores differ by source: GitHub Advisory and ENISA assign a CVSS v3.1 score of 4.9 (Moderate) with a local attack vector, while Feedly's aggregated intelligence estimates a score of 9.8 (Critical) with a network attack vector (GitHub Advisory).

The root cause is an integer overflow (CWE-190) in FFmpeg's MOV/MP4 demuxer (libavformat/mov.c) when parsing CENC (Common Encryption) subsample data, which results in an out-of-bounds write (CWE-787). An attacker can craft a malicious media file with specially constructed CENC subsample metadata that causes an arithmetic overflow during size or index calculations, leading to a heap or stack buffer write beyond allocated bounds. The fix is tracked in FFmpeg pull request #22348 (FFmpeg PR, GitHub Advisory). A technical write-up is available at Infinit Security (Infinit Security).

Successful exploitation can result in memory corruption, potentially enabling information disclosure, data integrity violations, or denial of service. In environments where FFmpeg processes untrusted media files (e.g., media servers, transcoding pipelines, streaming platforms), an attacker could supply a crafted file to crash the FFmpeg process or potentially achieve arbitrary code execution depending on memory layout and exploit reliability. The confidentiality, integrity, and availability impacts are each rated Low under the conservative CVSS scoring, though more aggressive scoring estimates High impact across all three dimensions (GitHub Advisory, Red Hat Bugzilla).

1. Craft a malicious media file: Create an MP4 or MOV file containing a CENC (Common Encryption) protection scheme with specially crafted subsample data entries designed to trigger an integer overflow in libavformat/mov.c during size calculations.
2. Deliver the file: Submit the crafted media file to a target system running a vulnerable FFmpeg version (< 8.1) — for example, via a media upload endpoint, a streaming URL, or a file-sharing service that triggers automatic transcoding.
3. Trigger parsing: FFmpeg processes the file and parses the CENC subsample data. The integer overflow occurs during arithmetic on subsample size or count fields, causing the computed buffer size to be smaller than required.
4. Out-of-bounds write: FFmpeg writes data beyond the allocated buffer boundary, corrupting adjacent memory. Depending on heap layout, this may overwrite function pointers, metadata, or other control structures.
5. Achieve objective: Depending on exploit reliability and memory layout, the attacker may cause a crash (denial of service) or, in a more advanced scenario, achieve arbitrary code execution in the context of the FFmpeg process (GitHub Advisory, Infinit Security).

• File System: Presence of unusual or unexpected MP4/MOV files with CENC encryption metadata in media processing directories; files with anomalously large or malformed subsample count fields.
• Process: FFmpeg process crashes or segmentation faults (SIGSEGV) when processing specific media files; core dump files generated by the FFmpeg process.
• Logs: Application logs showing FFmpeg errors or abrupt termination during MOV/MP4 demuxing; error messages referencing libavformat/mov.c or CENC subsample parsing.
• Network: Unexpected inbound media file submissions to transcoding or media processing endpoints, particularly files with CENC protection schemes from untrusted or external sources.

Upgrade FFmpeg to version 8.1 or later, which contains the fix for this vulnerability (FFmpeg PR, GitHub Advisory). For systems that cannot be patched immediately, restrict FFmpeg's exposure to untrusted media sources and implement input validation or sandboxing around media processing pipelines. OpenSUSE and other Linux distributions have issued security update advisories for their packaged FFmpeg versions. Monitor for exploitation attempts targeting CENC subsample data processing in media files.

Red Hat has filed a tracking bug (Bug 2458862) and assigned medium severity, with multiple product security team members listed as CC (Red Hat Bugzilla). OpenSUSE issued security announcements for affected FFmpeg packages, and the Yocto Project security mailing list has discussed the vulnerability in the context of embedded Linux builds. Mageia also published a security advisory (MGASA-2026-0153). Community discussion has been limited, with no significant social media amplification observed.