🛡 [email protected]/:~# Mar 26, 2024

Apple Products Remote Code Execution Vulnerability Report CVE-2024-1580 Integer Overflow in dav1d AV1 Decoder

Date: February 16, 2024
CVE: CVE-2024-1580
Sources: CVE.mitre.org, GitHub Advisory Database

Issue Summary

CVE-2024-1580 identifies a critical integer overflow vulnerability within the dav1d AV1 decoder. This issue arises when processing videos with large frame sizes, potentially leading to memory corruption within the decoder.

Technical Key findings

The vulnerability specifically affects the decoding process for large video frames in the dav1d AV1 decoder, where improper handling of size calculations can lead to integer overflow.

Vulnerable products

All versions of the dav1d AV1 decoder before 1.4.0 are affected by this vulnerability. Including but not limited to:

  • macOS Sonoma 14.4.1
  • macOS Ventura 13.6.6
  • Safari 17.4.1

But also

  • VideoLAN Project (VLC player)

Impact assessment

Successful exploitation could result in memory corruption, which might allow an attacker to execute arbitrary code or cause a denial of service (DoS) condition on the targeted system.

Patches or workaround

Users are advised to upgrade to version 1.4.0 or later of the dav1d AV1 decoder to mitigate this vulnerability.

Tags

#CVE-2024-1580, #dav1d, #AV1decoder, #integerOverflow, #Apple #VLC #videolan

CVE - CVE-2024-1580

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.