CVE-2020-20446: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg 4.2 is affected by a Divide By Zero vulnerability (CVE-2020-20446) discovered in the libavcodec/aacpsy.c component. The vulnerability was disclosed and tracked in multiple security advisories throughout 2021 (NVD, Debian Security).

The vulnerability stems from a division by zero operation at line 797 in libavcodec/aacpsy.c where the variable 'norm_fac' can become zero, leading to an arithmetic exception. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability allows a remote malicious user to cause a Denial of Service condition in the affected FFmpeg installation. The impact is limited to availability, with no direct effects on confidentiality or integrity of the system (NVD, FFmpeg Ticket).

Multiple Linux distributions have released security updates to address this vulnerability. Debian has patched the issue in version 7:4.1.8-0+deb10u1 for Debian 10 (Buster) and version 7:4.3.3-0+deb11u1 for Debian 11 (Bullseye). Users are advised to upgrade their FFmpeg packages to these patched versions (Debian LTS, DSA-4990, DSA-4998).