CVE-2024-36619: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg n6.1.1 contains a vulnerability in the WAVARC decoder of the libavcodec library that allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition. The vulnerability was discovered and disclosed on November 29, 2024, and affects the WAVARC decoder component (NVD, Debian Tracker).

The vulnerability is classified as an Integer Overflow or Wraparound (CWE-190) issue. The flaw specifically occurs in the WAVARC decoder when processing certain block types, particularly in block types 6 and 19. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

When exploited, this vulnerability can lead to a denial-of-service (DoS) condition in applications using the affected FFmpeg library. The integer overflow occurs during the handling of specific block types in the WAVARC decoder, which can cause the application to crash or become unresponsive (NVD).

A fix has been implemented in the FFmpeg repository through commit 28c7094b25b689185155a6833caf2747b94774a4, which addresses the signed integer overflow issue. The patch modifies the handling of block types 6 and 19 in the WAVARC decoder. Various Linux distributions have also released fixed versions, including Debian which has patched the vulnerability in multiple releases (FFmpeg Commit, Debian Tracker).