CVE-2025-9951: 
Ffmpeg vulnerability analysis and mitigation

A heap-buffer-overflow write vulnerability (CVE-2025-9951) was discovered in the jpeg2000dec component of FFmpeg. The vulnerability was reported on August 4, 2025, and disclosed on September 8, 2025. This security flaw affects FFmpeg versions prior to 8.0, specifically impacting the JPEG2000 decoder functionality (Google Research).

The vulnerability exists in the Channel Definition (cdef) atom of JPEG2000, which is responsible for defining the mapping of associated components to channels. When a chroma-subsampled pixel format is used together with the cdef atom, a corner case can be triggered. For example, in a YUV420P frame with 64x32 resolution, the Y component will be 2127 bytes, while the U and V components will be 1103 bytes. By manipulating the cdef with cn=0 and asoc=2, data for the full resolution luma component Y with a height of 32 can be written into the smaller subsampled chroma plane U with a height of 16, resulting in a buffer overflow of 1024 bytes. The vulnerability has been assigned a CVSS v4.0 score of 7.2 (High) (Google Research).

The heap-buffer-overflow vulnerability can potentially allow attackers to achieve remote code execution or cause denial of service conditions in systems running affected versions of FFmpeg (Google Research).

While no official patch has been released yet, users are advised to monitor for updates and consider implementing access controls to limit exposure to potentially malicious JPEG2000 files (Google Research).