CVE-2021-38291: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) was found to contain an assertion failure vulnerability in src/libavutil/mathematics.c. The vulnerability was discovered in June 2021 and affects multiple versions of FFmpeg, including versions up to 4.1.7, 4.2.0-4.2.5, 4.3.0-4.3.3, and 4.4.0-4.4.1 (NVD, FFmpeg Ticket).

The vulnerability occurs in the avrescaledelta function where, in some extreme cases with adpcmms samples containing high channel counts, getaudioframeduration() may return a negative frame duration value, triggering an assertion failure. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (NVD).

When exploited, this vulnerability results in a denial of service condition through application crash due to the assertion failure. The impact is limited to availability, with no direct effects on confidentiality or integrity of the system (NVD).

The vulnerability was fixed in FFmpeg commit e01d306c647b5827102260b885faa223b646d2d1. Various Linux distributions have released security updates to address this issue, including Debian (versions 7:4.1.8-0+deb10u1 for Buster and 7:4.3.3-0+deb11u1 for Bullseye) and Gentoo (versions >= 4.4.3 and >= 6.0) (Debian Advisory, Gentoo Advisory).