GHSA-mc39-h54g-pvw6: 
Rust vulnerability analysis and mitigation

An integer overflow vulnerability was discovered in the dav1d AV1 decoder, affecting libdav1d-sys versions prior to 0.7.0. The vulnerability was reported on February 19, 2024, and was assigned the identifier GHSA-mc39-h54g-pvw6. This security issue affects multiple systems and software implementations that use the dav1d decoder, including various Apple operating systems and Fedora (GitHub Advisory, RustSec Advisory).

The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound) and has been assigned a CVSS v3.1 base score of 5.9 (Medium severity). The CVSS vector is CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L, indicating adjacent network attack vector, high attack complexity, low privileges required, and no user interaction needed. The vulnerability has an EPSS score of 0.29%, suggesting a relatively low probability of exploitation in the wild (CVE Details).

The integer overflow vulnerability can occur when decoding videos with large frame sizes, potentially leading to memory corruption within the AV1 decoder. This can result in low confidentiality impact, high integrity impact, and low availability impact to the affected systems (GitHub Advisory, CVE Details).

Users are recommended to upgrade to libdav1d-sys version 0.7.0 or later, which includes dav1d 1.4.0 that contains the fix for this vulnerability. Various affected vendors have released patches, including Apple releasing updates for iOS, iPadOS, macOS, Safari, and visionOS (GitHub Advisory, RustSec Advisory).