CVE-2024-7055: 
Ffmpeg vulnerability analysis and mitigation

A critical vulnerability was discovered in FFmpeg versions up to 7.0.1, identified as CVE-2024-7055. The vulnerability affects the pnmdecodeframe function in the library /libavcodec/pnmdec.c, leading to a heap-based buffer overflow. The issue can be exploited remotely, and public exploit code is available. The vulnerability was addressed in FFmpeg version 7.0.2 (FFmpeg Download, GitHub POC).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) occurring in the pnmdecodeframe function within libavcodec/pnmdec.c. According to the CVSS scoring, it has received a CVSS v4.0 Base Score of 6.9 (MEDIUM) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 Base Score of 6.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD).

The heap-based buffer overflow vulnerability can potentially lead to arbitrary code execution and denial of service conditions. The vulnerability can be triggered remotely, making it particularly concerning for systems processing untrusted PNM image files (GitHub POC).

The recommended mitigation is to upgrade to FFmpeg version 7.0.2 or later, which contains the fix for this vulnerability. Users and administrators should prioritize this update to protect against potential exploitation (FFmpeg Download).