CVE-2026-40962

Medium

Published: 16 April 2026

Published

16 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0001 1.2th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40962 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Ffmpeg Ffmpeg. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely remediation through upgrading FFmpeg to version 8.1 or later to fix the integer overflow in mov.c.

SI-10 Information Input Validation good match

prevent

Requires validation of CENC subsample data inputs to prevent integer overflows during media file parsing in FFmpeg.

SI-16 Memory Protection partial match

prevent

Implements memory protections like ASLR and DEP to mitigate exploitation of the out-of-bounds write resulting from the integer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Integer overflow/OOB write in FFmpeg MOV/CENC parser enables exploitation via crafted media files in client applications using the library.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

Deeper analysisAI

CVE-2026-40962 is an integer overflow vulnerability in FFmpeg versions prior to 8.1, leading to an out-of-bounds write. The issue arises when processing CENC (Common Encryption) subsample data in the libavformat/mov.c component, classified under CWE-190 (Integer Overflow or Wraparound). Published on 2026-04-16, it carries a CVSS v3.1 base score of 4.9 (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating moderate severity with low impacts across confidentiality, integrity, and availability.

Exploitation requires local access (AV:L) with no privileges (PR:N) and high attack complexity (AC:H), but no user interaction (UI:N). A successful attack could allow an unprivileged local attacker to trigger the overflow during media file parsing, potentially resulting in limited data corruption, minor information disclosure, or partial denial of service within the affected FFmpeg process.

The FFmpeg project addresses this in pull request 22348 at https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348, with mitigation achieved by upgrading to FFmpeg 8.1 or later, which includes the necessary fixes to prevent the integer overflow and out-of-bounds write in mov.c.