CVE-2020-20451: 
Ffmpeg vulnerability analysis and mitigation

A Denial of Service vulnerability (CVE-2020-20451) was discovered in FFmpeg version 4.2. The vulnerability stems from resource management errors in the fftools/cmdutils.c file. This vulnerability was initially reported in August 2020 and was later addressed in various FFmpeg versions (FFmpeg Ticket, Debian Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified under CWE-401 (Missing Release of Memory after Effective Lifetime). The vulnerability specifically involves memory management issues in the grow_array function within the fftools/cmdutils.c component (NVD).

The vulnerability can lead to a Denial of Service condition through resource management errors. When successfully exploited, it could cause the application to become unresponsive or crash, affecting the availability of FFmpeg services (Debian Advisory).

The vulnerability has been fixed in multiple FFmpeg versions. For Debian 9 stretch, the fix was implemented in version 7:3.2.16-1+deb9u1. The permanent fix was committed by Andreas Rheinhardt with commit ID 21265f42ecb265debe9fec1dbfd0cb7de5a8aefb (Debian Advisory, FFmpeg Ticket).