ffmpeg - Debian Package Tracker

general

source: ffmpeg (main)
version: 7:8.1.1-3
maintainer: Debian Multimedia Maintainers (archive) (DMD)
uploaders: Reinhard Tartler [DMD] – Sebastian Ramacher [DMD] – James Cowgill [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7:4.3.7-0+deb11u1
o-o-sec: 7:4.3.9-0+deb11u2
o-o-p-u: 7:4.3.7-0+deb11u1
oldstable: 7:5.1.8-0+deb12u1
old-sec: 7:5.1.9-0+deb12u1
stable: 7:7.1.3-0+deb13u1
stable-sec: 7:7.1.4-0+deb13u1
stable-p-u: 7:7.1.4-0+deb13u1
testing: 7:8.1-3
unstable: 7:8.1.1-3

versioned links

7:4.3.7-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:4.3.9-0+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:5.1.8-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:5.1.9-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:7.1.4-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:8.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7:8.1.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ffmpeg (19 bugs: 0, 14, 5, 0)
ffmpeg-doc
libavcodec-dev (1 bugs: 0, 0, 1, 0)
libavcodec-extra
libavcodec-extra62
libavcodec62
libavdevice-dev
libavdevice62
libavfilter-dev
libavfilter-extra
libavfilter-extra11
libavfilter11
libavformat-dev (1 bugs: 0, 1, 0, 0)
libavformat-extra
libavformat-extra62
libavformat62
libavutil-dev
libavutil60
libswresample-dev
libswresample6
libswscale-dev
libswscale9

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2026-6385: A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2026-30997: An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Created: 2026-04-15 Last update: 2026-05-16 02:00

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-6385: A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2026-30997: An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Created: 2026-04-15 Last update: 2026-05-16 02:00

lintian reports 5 errors and 29 warnings high

Lintian reports 5 errors and 29 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-09 Last update: 2026-05-09 23:01

Depends on packages which need a new maintainer normal

The packages that ffmpeg depends on which need a new maintainer are:

libiec61883 (#826285)
- Depends: libiec61883-0 libiec61883-0
- Build-Depends: libiec61883-dev

Created: 2019-11-22 Last update: 2026-05-17 01:33

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-14 Last update: 2026-05-17 01:33

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-17 01:30

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 8442f37da0aebe78b687146aac5d430fa5f9277f
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Thu May 14 11:06:16 2026 +0200

    Document --extra-*flags

Created: 2026-05-14 Last update: 2026-05-14 10:34

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2026-6385: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2025-22921: (postponed; to be fixed through a stable update) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.
CVE-2026-30997: (postponed; to be fixed through a stable update) An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-12-31 Last update: 2026-05-16 02:00

9 low-priority security issues in bookworm low

There are 9 open security issues in bookworm.

9 issues left for the package maintainer to handle:

CVE-2023-6601: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions.
CVE-2026-6385: (postponed; to be fixed through a stable update) A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
CVE-2023-49528: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component.
CVE-2024-31578: (postponed; to be fixed through a stable update) FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.
CVE-2024-35369: (postponed; to be fixed through a stable update) In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.
CVE-2024-36615: (postponed; to be fixed through a stable update) FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
CVE-2025-10256: (postponed; to be fixed through a stable update) A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service.
CVE-2025-22921: (postponed; to be fixed through a stable update) FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.
CVE-2026-30997: (postponed; to be fixed through a stable update) An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-12 Last update: 2026-05-16 02:00

testing migrations

excuses:
- Migration status for ffmpeg (7:8.1-3 to 7:8.1.1-3): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for amide/1.0.6-8.2: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: No tests, superficial or marked flaky ♻, loong64: Test triggered (failure will be ignored), ppc64el: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻, s390x: No tests, superficial or marked flaky ♻
- ∙ ∙ Autopkgtest for aom/3.13.1-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for aubio/0.4.9-5: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for audio-visualizer-python/2.2.4-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for audioread/3.1.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for beets/2.8.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for bs1770gain/0.9.8-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for diffoscope/318: amd64: Pass, arm64: Pass, i386: Failed (not a regression) ♻ (reference ♻), loong64: Test triggered (will not be considered a regression) ♻ (reference ♻), ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for elpa-subed/1.4.2-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for ffmpeg/7:8.1.1-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for freerdp3/3.24.2+dfsg-1: i386: Pass ♻ (reference ♻), riscv64: Pass ♻ (reference ♻), s390x: Pass ♻ (reference ♻)
- ∙ ∙ Autopkgtest for freerdp3/3.26.0+dfsg-1: amd64: Pass, arm64: Pass, loong64: Test triggered, ppc64el: Pass
- ∙ ∙ Autopkgtest for gr-framework/0.73.24+dfsg-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for ha-ffmpeg/3.2.2-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for kfilemetadata-kf5/5.116.0-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for libde265/1.0.18-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for libheif/1.21.2-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for libmedia-convert-perl/1.5.2-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for libopenshot/0.5.0+dfsg1-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for librist/0.2.14+dfsg-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for libvpx/1.16.0-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for lilv/0.26.4-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for lsdvd/0.21-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for lv2file/0.95-4: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for mussort/0.4-5: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for notcurses/3.0.17+dfsg-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for qtox/1.18.3-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for vlc/3.0.23-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Pass
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/f/ffmpeg.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 8 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-16] Accepted ffmpeg 7:5.1.9-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-16] Accepted ffmpeg 7:7.1.4-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-15] Accepted ffmpeg 7:5.1.9-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-14] Accepted ffmpeg 7:7.1.4-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-05-09] Accepted ffmpeg 7:8.1.1-3 (source) into unstable (Sebastian Ramacher)
[2026-05-09] Accepted ffmpeg 7:8.1.1-2 (source) into unstable (Sebastian Ramacher)
[2026-05-08] Accepted ffmpeg 7:8.1.1-1 (source) into unstable (Sebastian Ramacher)
[2026-03-29] ffmpeg 7:8.1-3 MIGRATED to testing (Debian testing watch)
[2026-03-20] Accepted ffmpeg 7:8.1-3 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-2 (source) into unstable (Sebastian Ramacher)
[2026-03-20] Accepted ffmpeg 7:8.1-1 (source) into unstable (Sebastian Ramacher)
[2026-01-16] Accepted ffmpeg 7:4.3.9-0+deb11u2 (source) into oldoldstable-security (Carlos Henrique Lima Melara)
[2026-01-03] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2026-01-02] ffmpeg 7:8.0.1-3 MIGRATED to testing (Debian testing watch)
[2025-12-29] Accepted ffmpeg 7:8.0.1-3 (source) into unstable (Sebastian Ramacher)
[2025-12-20] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-16] ffmpeg 7:8.0.1-2 MIGRATED to testing (Debian testing watch)
[2025-12-13] Accepted ffmpeg 7:8.0.1-2 (source) into unstable (Sebastian Ramacher)
[2025-12-10] Accepted ffmpeg 7:5.1.8-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-07] Accepted ffmpeg 7:7.1.3-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-12-02] ffmpeg 7:7.1.3-1 MIGRATED to testing (Debian testing watch)
[2025-11-30] Accepted ffmpeg 7:7.1.3-1 (source) into unstable (Sebastian Ramacher)
[2025-11-21] Accepted ffmpeg 7:8.0.1-1 (source) into experimental (Sebastian Ramacher)
[2025-11-12] Accepted ffmpeg 7:8.0-2 (source) into experimental (Sebastian Ramacher)
[2025-09-26] Accepted ffmpeg 7:7.1.2-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-09-23] ffmpeg 7:7.1.2-1 MIGRATED to testing (Debian testing watch)
[2025-09-21] Accepted ffmpeg 7:7.1.2-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-09-20] Accepted ffmpeg 7:7.1.2-1 (source) into unstable (Sebastian Ramacher)
[2025-09-12] Accepted ffmpeg 7:8.0-1 (all amd64 source) into experimental (Debian FTP Masters) (signed by: Sebastian Ramacher)
[2025-08-26] Accepted ffmpeg 7:5.1.7-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Sebastian Ramacher)

bugs [bug history graph]

all: 23 24
RC: 0
I&N: 16
M&W: 7 8
F&P: 0
patch: 2

links

homepage
lintian (5, 29)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7:8.0.1-3ubuntu2
12 bugs
patches for 7:8.0.1-3ubuntu2