Cyber Posture

CVE-2025-1594

MediumPublic PoC

Published: 23 February 2025

Published
23 February 2025
Modified
03 June 2025
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0012 30.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1594 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Ffmpeg Ffmpeg. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the stack-based buffer overflow by applying patches or upgrading FFmpeg beyond version 7.1.

SI-16 Memory Protection good match
prevent

Implements memory protections such as stack canaries, ASLR, and DEP to prevent exploitation of the stack buffer overflow.

SI-10 Information Input Validation partial match
prevent

Validates manipulated AAC inputs before processing by the vulnerable ff_aac_search_for_tns function to block overflow triggers.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Stack-based buffer overflow in FFmpeg AAC encoder directly enables client-side exploitation via crafted media input (T1203: Exploitation for Client Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate…

more

the attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-1594 is a stack-based buffer overflow vulnerability classified as critical in FFmpeg versions up to 7.1. It affects the ff_aac_search_for_tns function in the libavcodec/aacenc_tns.c file of the AAC Encoder component. The issue, linked to CWEs-119, CWE-121, and CWE-787, was published on 2025-02-23.

The vulnerability enables remote exploitation through manipulated input, requiring network access, low complexity, no privileges, and user interaction per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). Attackers can achieve limited impacts on confidentiality, integrity, and availability. A proof-of-concept exploit has been publicly disclosed and may be used.

References include FFmpeg's official site, a POC attachment and comment on trac.ffmpeg.org/ticket/11418, and VulDB entries at vuldb.com/?ctiid.296589 and vuldb.com/?id.296589, which detail the vulnerability.

Details

CWE(s)
CWE-119CWE-121CWE-787

Affected Products

ffmpeg
ffmpeg
≤ 7.1

CVEs Like This One

CVE-2026-40962Same product: Ffmpeg Ffmpeg
CVE-2026-30997Same product: Ffmpeg Ffmpeg
CVE-2026-30998Same product: Ffmpeg Ffmpeg
CVE-2024-35365Same product: Ffmpeg Ffmpeg
CVE-2023-6605Same product: Ffmpeg Ffmpeg
CVE-2026-30999Same product: Ffmpeg Ffmpeg
CVE-2025-0840Shared CWE-119, CWE-121
CVE-2026-7323Shared CWE-119, CWE-787
CVE-2026-42482Shared CWE-121, CWE-787
CVE-2025-14174Shared CWE-119, CWE-787

References