ffmpeg - Debian Package Tracker

general

source: ffmpeg (main)
version: 7:8.1.2-2
maintainer: Debian Multimedia Maintainers (archive) (DMD)
uploaders: Reinhard Tartler [DMD] – Sebastian Ramacher [DMD] – James Cowgill [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7:4.3.7-0+deb11u1
o-o-sec: 7:4.3.9-0+deb11u2
o-o-p-u: 7:4.3.7-0+deb11u1
oldstable: 7:5.1.8-0+deb12u1
old-sec: 7:5.1.9-0+deb12u1
old-p-u: 7:5.1.9-0+deb12u1
stable: 7:7.1.3-0+deb13u1
stable-sec: 7:7.1.5-0+deb13u1
stable-p-u: 7:7.1.5-0+deb13u1
testing: 7:8.1.2-2
unstable: 7:8.1.2-2

versioned links

7:4.3.7-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.3.9-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:5.1.8-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:5.1.9-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.5-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:8.1.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ffmpeg (20 bugs: 0, 15, 5, 0)
ffmpeg-doc
libavcodec-dev (1 bugs: 0, 0, 1, 0)
libavcodec-extra
libavcodec-extra62
libavcodec62
libavdevice-dev
libavdevice62
libavfilter-dev
libavfilter-extra
libavfilter-extra11
libavfilter11
libavformat-dev (1 bugs: 0, 1, 0, 0)
libavformat-extra
libavformat-extra62
libavformat62
libavutil-dev
libavutil60
libswresample-dev
libswresample6
libswscale-dev
libswscale9

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-6385: A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2026-30997: An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Created: 2026-04-15 Last update: 2026-06-25 07:00

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-6385: A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2026-30997: An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Created: 2026-04-15 Last update: 2026-06-25 07:00

6 security issues in bullseye high

There are 6 open security issues in bullseye.

2 important issues:

CVE-2026-8461: An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.
CVE-2026-12706: A use-after-free vulnerability was found in FFmpeg's RASC video decoder. The decode_move() function initializes a read pointer into a decompressed buffer, but a subsequent reallocation of that same buffer during move-table processing leaves the pointer dangling. An attacker could exploit this by providing a specially crafted AVI file containing a malicious RASC video stream. When a user opens or plays the file, the decoder reads from freed heap memory, which could lead to a denial of service (crash).

4 issues postponed or untriaged:

CVE-2023-6601: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2026-6385: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2026-30997: (postponed; to be fixed through a stable update) An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2026-40962: (postponed; to be fixed through a stable update) FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

Created: 2026-06-18 Last update: 2026-06-25 07:00

10 security issues in bookworm high

There are 10 open security issues in bookworm.

1 important issue:

CVE-2026-8461: An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpeg before version 8.1.2.

9 issues left for the package maintainer to handle:

CVE-2023-6601: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2026-6385: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2023-49528: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component.
CVE-2024-31578: (postponed; to be fixed through a stable update) FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.
CVE-2024-35369: (postponed; to be fixed through a stable update) In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.
CVE-2024-36615: (postponed; to be fixed through a stable update) FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVE-2025-10256: (postponed; to be fixed through a stable update) A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.
CVE-2025-22921: (postponed; to be fixed through a stable update) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.
CVE-2026-30997: (postponed; to be fixed through a stable update) An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-12 Last update: 2026-06-25 07:00

lintian reports 5 errors and 7 warnings high

Lintian reports 5 errors and 7 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-23 Last update: 2026-06-23 11:17

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2026-06-02 Last update: 2026-06-26 10:47

Depends on packages which need a new maintainer normal

The packages that ffmpeg depends on which need a new maintainer are:

libiec61883 (#826285)
- Depends: libiec61883-0 libiec61883-0
- Build-Depends: libiec61883-dev

Created: 2019-11-22 Last update: 2026-06-26 09:30

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 5b98dcadacb72f3d1b86435356e71bef60831c90
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Thu Jun 25 18:07:38 2026 +0200

    Remove another ${misc:Depends}

commit 17996f8ff3249cae721d955185d4a97d0e318f6f
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Thu Jun 25 17:51:18 2026 +0200

    Bump debhelper compat to 14

Created: 2026-06-25 Last update: 2026-06-25 17:19

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-6385: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-12-31 Last update: 2026-06-25 07:00

news

[rss feed]

[2026-06-25] Accepted ffmpeg 7:7.1.5-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-06-25] ffmpeg 7:8.1.2-2 MIGRATED to testing (Debian testing watch)
[2026-06-22] Accepted ffmpeg 7:8.1.2-2 (source) into unstable (Sebastian Ramacher)
[2026-06-22] Accepted ffmpeg 7:7.1.5-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-06-22] Accepted ffmpeg 7:8.1.2-1 (source) into unstable (Sebastian Ramacher)
[2026-06-18] ffmpeg 7:8.1.1-4 MIGRATED to testing (Debian testing watch)
[2026-06-13] Accepted ffmpeg 7:8.1.1-4 (source) into unstable (Sebastian Ramacher)
[2026-05-21] ffmpeg 7:8.1.1-3 MIGRATED to testing (Debian testing watch)
[2026-05-16] Accepted ffmpeg 7:5.1.9-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-16] Accepted ffmpeg 7:7.1.4-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-15] Accepted ffmpeg 7:5.1.9-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-14] Accepted ffmpeg 7:7.1.4-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-09] Accepted ffmpeg 7:8.1.1-3 (source) into unstable (Sebastian Ramacher)
[2026-05-09] Accepted ffmpeg 7:8.1.1-2 (source) into unstable (Sebastian Ramacher)
[2026-05-08] Accepted ffmpeg 7:8.1.1-1 (source) into unstable (Sebastian Ramacher)
[2026-03-29] ffmpeg 7:8.1-3 MIGRATED to testing (Debian testing watch)
[2026-03-20] Accepted ffmpeg 7:8.1-3 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-2 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-1 (source) into unstable (Sebastian Ramacher)
[2026-01-16] Accepted ffmpeg 7:4.3.9-0+deb11u2 (source) into oldoldstable-security (Carlos Henrique Lima Melara)
[2026-01-03] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-01-02] ffmpeg 7:8.0.1-3 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted ffmpeg 7:8.0.1-3 (source) into unstable (Sebastian Ramacher)
[2025-12-20] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-16] ffmpeg 7:8.0.1-2 MIGRATED to testing (Debian testing watch)
[2025-12-13] Accepted ffmpeg 7:8.0.1-2 (source) into unstable (Sebastian Ramacher)
[2025-12-10] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-07] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-02] ffmpeg 7:7.1.3-1 MIGRATED to testing (Debian testing watch)
[2025-11-30] Accepted ffmpeg 7:7.1.3-1 (source) into unstable (Sebastian Ramacher)

bugs [bug history graph]

all: 25 26
RC: 0
I&N: 18
M&W: 7 8
F&P: 0
patch: 2

links

homepage
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7:8.1-3ubuntu3
patches for 7:8.1-3ubuntu3