Cyber Posture

CVE-2024-35365

High

Published: 03 January 2025

Published
03 January 2025
Modified
03 June 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-35365 is a high-severity Double Free (CWE-415) vulnerability in Ffmpeg Ffmpeg. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 45.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely identification, reporting, and correction of system flaws like the double-free vulnerability in FFmpeg n6.1.1, directly enabling patching via the provided commit.

SI-16 Memory Protection good match
prevent

SI-16 requires controls to minimize the impact of double-free vulnerabilities, explicitly addressing this CWE-415 flaw in FFmpeg's new_stream_audio function.

SI-10 Information Input Validation partial match
prevent

SI-10 enforces validation and sanitization of inputs like crafted media files, reducing the risk of triggering the double-free during FFmpeg processing.

NVD Description

FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function.

Deeper analysisAI

CVE-2024-35365 is a double-free vulnerability (CWE-415) in FFmpeg version n6.1.1, located in the fftools/ffmpeg_mux_init.c component, specifically within the new_stream_audio function. This flaw affects the FFmpeg multimedia framework, which is widely used for handling audio and video processing in various applications and tools. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Remote attackers can exploit this vulnerability by tricking users into processing a specially crafted media file using the affected FFmpeg version, as it requires user interaction such as running the ffmpeg tool on malicious input. No privileges are needed, and the low attack complexity makes it accessible over the network. Successful exploitation of the double-free could result in high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or denial of service.

FFmpeg has addressed the issue via a patch in commit ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5, available on the project's GitHub repository. Security practitioners should update to versions incorporating this fix and review the source code at fftools/ffmpeg_mux_init.c#L886 for details. Additional technical analysis is provided in the referenced GitHub gist.

Details

CWE(s)
CWE-415

Affected Products

ffmpeg
ffmpeg
6.1.1

CVEs Like This One

CVE-2025-1594Same product: Ffmpeg Ffmpeg
CVE-2026-30998Same product: Ffmpeg Ffmpeg
CVE-2026-30999Same product: Ffmpeg Ffmpeg
CVE-2023-6605Same product: Ffmpeg Ffmpeg
CVE-2026-30997Same product: Ffmpeg Ffmpeg
CVE-2026-40962Same product: Ffmpeg Ffmpeg
CVE-2025-49688Shared CWE-415
CVE-2026-33824Shared CWE-415
CVE-2026-31468Shared CWE-415
CVE-2024-56766Shared CWE-415

References