CVE-2026-6385: 
Ffmpeg 脆弱性の分析と軽減

CVE-2026-6385 is a signed integer overflow vulnerability in FFmpeg's DVD subtitle parser that can lead to a heap out-of-bounds write, resulting in denial of service or potentially arbitrary code execution. A remote attacker can exploit this flaw by supplying a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. The vulnerability was disclosed on April 15, 2026, and affects FFmpeg (specific patched versions are not yet publicly confirmed). It carries a CVSS v3.1 base score of 6.5 (Medium) (Red Hat CVE, Github Advisory).

The root cause is a signed integer overflow (CWE-190) in FFmpeg's DVD subtitle parser during fragment reassembly bounds checks. When processing a malformed MPEG-PS/VOB file, the parser performs arithmetic on signed integers that can overflow, causing the resulting value to wrap to a small or negative number. This corrupted bounds value is then used in heap memory operations, leading to an out-of-bounds write. Exploitation requires user interaction — a victim must open or process the malicious media file — but no privileges are required on the attacker's side (Red Hat Bugzilla, Github Advisory).

Successful exploitation primarily results in a denial of service through an application crash when FFmpeg processes the malicious media file. In more severe scenarios, the heap out-of-bounds write could be leveraged to achieve arbitrary code execution in the context of the FFmpeg process. Confidentiality and integrity impacts are rated as none in the current CVSS assessment, with availability being the primary concern; however, the potential for code execution introduces risk to any system or service that automatically processes user-supplied media files (Red Hat CVE, Github Advisory).

1. Craft malicious media file: Create a specially crafted MPEG-PS or VOB file containing a DVD subtitle stream with malformed fragment reassembly data designed to trigger a signed integer overflow in FFmpeg's subtitle parser bounds checks.
2. Deliver the file to the target: Distribute the malicious file via email attachment, web download, shared storage, or any channel where the victim or an automated system will process it with FFmpeg (e.g., a media transcoding service).
3. Trigger parsing: The victim opens the file in an FFmpeg-based application, or an automated pipeline processes it, causing FFmpeg to invoke the DVD subtitle parser on the malicious stream.
4. Trigger integer overflow: The parser performs signed integer arithmetic during fragment reassembly bounds checks; the overflow causes the bounds value to wrap, resulting in a heap out-of-bounds write.
5. Achieve DoS or code execution: At minimum, the out-of-bounds write corrupts heap memory and crashes the application (DoS). Under favorable memory layout conditions, an attacker may achieve arbitrary code execution in the FFmpeg process context (Red Hat Bugzilla, Github Advisory).

• Process: FFmpeg process crashing unexpectedly or producing segmentation faults when processing MPEG-PS/VOB files; core dump files generated by the FFmpeg process.
• Logs: Application logs showing FFmpeg errors or crashes during DVD subtitle stream parsing; error messages referencing subtitle fragment reassembly or out-of-bounds memory access.
• File System: Presence of unexpected or externally sourced .vob, .mpg, or .mpeg files in media processing directories, particularly those with unusually large or malformed subtitle streams.
• Network: Unusual inbound transfers of MPEG-PS/VOB files to media processing servers from untrusted sources; automated pipelines receiving media from external or unauthenticated endpoints.

The primary remediation is to update FFmpeg to a patched build once an official fixed version is released; users should monitor the FFmpeg project and Red Hat advisories for patch availability. As an interim workaround, reject or sanitize untrusted MPEG-PS/VOB media files before processing, and consider disabling DVD subtitle stream parsing if not required. Automated media processing pipelines should enforce strict input validation and avoid processing files from untrusted sources until a patch is applied (Red Hat Bugzilla, Red Hat CVE).

Community discussion in the Red Hat Bugzilla thread noted the difficulty of mitigating a parser-level issue without a patched build, with commenters recommending rejection of unsupported or untrusted media formats as a stopgap. No major vendor statements beyond Red Hat's advisory or notable researcher commentary have been identified at this time (Red Hat Bugzilla).