CVE-2023-6604: 
Ffmpeg vulnerability analysis and mitigation

A vulnerability was discovered in FFmpeg (CVE-2023-6604) that allows unexpected additional CPU load and storage consumption. The vulnerability was disclosed on January 6, 2025, affecting FFmpeg's XBIN demuxer functionality. The flaw specifically involves the demuxing of arbitrary data as XBIN-formatted data without proper format validation (NVD, RedHat Bugzilla).

The vulnerability occurs when FFmpeg processes input that begins with the XBIN header (11 bytes). The remainder of the input is treated as an array of uint16-ts, with each pair of bytes denoting ASCII character and foreground/background color respectively. Due to lack of proper structure validation beyond the 11-byte header, non-XBIN data can be processed as XBIN data without error. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

When exploited, this vulnerability can lead to significant resource consumption. For example, a sample MP4 file of 16MB with duration of 3m11s could result in over 3 minutes of transcoding time and produce a 352MB output file with a duration of 43m52s. This unexpected amplification of CPU load for transcoding and storage requirements could potentially lead to degraded performance or denial of service (RedHat Bugzilla).

The XBIN demuxer should only be triggered if the input file extension matches a known value (e.g., .XB). Additionally, proper validation of the input format should be implemented before processing XBIN-formatted data (RedHat Bugzilla).