CVE-2025-1816: 
Ffmpeg vulnerability analysis and mitigation

A vulnerability classified as problematic was discovered in FFmpeg up to version 6e26f57f672b05e7b8b052007a83aef99dc81ccb, disclosed on March 2, 2025. The vulnerability affects the audioelementobu function in the libavformat/iamf_parse.c file, specifically within the IAMF File Handler component. The issue was assigned CVE-2025-1816 and has been patched with commit 0526535cd58444dd264e810b2f3348b4d96cff3b (FFmpeg Commit).

The vulnerability stems from missing constraints for the numparameters argument in the audioelement_obu function, which leads to a memory leak condition. The issue has been assigned a CVSS v4.0 base score of 5.3 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 4.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (NVD).

The vulnerability results in memory leaks when processing IAMF (Immersive Audio Model and Format) files. When exploited, this can lead to resource exhaustion and potential system performance degradation over time (FFmpeg Ticket).

The vulnerability has been fixed in FFmpeg through commit 0526535cd58444dd264e810b2f3348b4d96cff3b, which adds the missing constraints for numparameters in the audioelement_obu function. Users are recommended to update to a version containing this patch (FFmpeg Commit).