GHSA-5pmw-9j92-3c4c: 
Rust vulnerability analysis and mitigation

The OpenH264 Rust API (openh264-sys2) contains a heap overflow vulnerability in its decoding functions. The vulnerability was discovered in versions prior to 0.8.0 and affects both the source code implementation and systems using Cisco's pre-compiled DLL. The issue stems from a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. The vulnerability was fixed in OpenH264 version 2.6.0 and openh264-sys2 version 0.8.0 (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v4.0 base score of 8.6 (High severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue affects both Scalable Video Coding (SVC) mode and Advanced Video Coding (AVC) mode. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). The fix was implemented in upstream commit 63db555 and subsequently integrated into the 0.6.6 release for source users and 0.8.0 release for DLL users (RustSec, GitHub Advisory).

A successful exploitation of this vulnerability could allow an attacker to cause an unexpected crash in the victim's user decoding client and potentially execute arbitrary commands on the victim's host by exploiting the heap overflow. The vulnerability affects systems processing untrusted video files and could lead to significant security breaches with high impacts on confidentiality, integrity, and availability (NVD).

Users are strongly advised to upgrade to OpenH264 version 2.6.0 or later. For those using the source feature only, versions >=0.6.6 are safe. Users relying on libloading must upgrade to version 0.8.0 and use Cisco's latest DLL version >=2.6.0. There are no known workarounds for this vulnerability, making the upgrade the only secure solution (GitHub Advisory, RustSec).