Fluid Attacks Database

Description

There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libvpx	=1.9.0-1 \|\| =1.9.0-1+deb11u1 \|\| =1.9.0-1+deb11u2 \|\| >=0 <1.9.0-1+deb11u3	1.9.0-1+deb11u3
debian 12	libvpx	=1.12.0-1 \|\| =1.12.0-1+deb12u1 \|\| =1.12.0-1+deb12u2 \|\| >=0 <1.12.0-1+deb12u3	1.12.0-1+deb12u3
debian 13	libvpx	>=0 <1.14.1-1	1.14.1-1
debian 14	libvpx	>=0 <1.14.1-1	1.14.1-1
rpm rhel8	libvpx	<0:1.7.0-11.el8_10	0:1.7.0-11.el8_10
rpm rhel8	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel6	libvpx	-	-
rpm rhel9	firefox	-	-
rpm rhel7	thunderbird	-	-

1-10 of 15

Aliases

1. CVE-2024-51972. NVD-2024-51973. OSV-DEBIAN-2024-51974. OSV-2024-51975. SECURITY-TRACKER-CVE-2024-5197

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.