CVE-2025-7700: 
Ffmpeg vulnerability analysis and mitigation

A vulnerability was discovered in FFmpeg's ALS audio decoder (CVE-2025-7700) where it fails to properly check for memory allocation failures. The flaw was found in the decode_init() function and affects various versions of FFmpeg across multiple distributions (Debian Security, Ubuntu Security).

The vulnerability exists in the decodeinit() function of the ALS audio decoder, where memory allocation results (larray, nbits, rawmantissa[c]) are not properly validated before use. When allocation functions like avmallocarray() or av_calloc() fail, the code may dereference NULL pointers. The vulnerability has been assigned a CVSS 3.1 score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Ubuntu Security).

When exploited, this vulnerability can cause the application to crash when processing malformed audio files, resulting in a denial of service condition. While it does not lead to data theft or system control, it can be used to disrupt services. The vulnerability can be triggered remotely without authentication in applications using FFmpeg for ALS decoding (Debian Security, Ubuntu Security).

Fixed versions have been released for various distributions. Ubuntu has released updates for versions 25.10 (7:7.1.1-1ubuntu4.1) and 25.04 (7:7.1.1-1ubuntu1.3). Debian has fixed the issue in bookworm (7:5.1.7-0+deb12u1) and trixie (7:7.1.2-0+deb13u1) releases. Users are advised to update their systems to the latest available versions (Ubuntu Security, Debian Security).