CVE-2023-6603 - Vulnerability Details - OpenCVE

A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Ffmpeg	Ffmpeg

Configuration 1 [-]

cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2334335

History

Thu, 21 Aug 2025 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-99

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00545}`	epss `{'score': 0.00591}`

Fri, 20 Jun 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ffmpeg Ffmpeg ffmpeg
Weaknesses		CWE-476
CPEs		cpe:2.3:a:ffmpeg:ffmpeg::::::::
Vendors & Products		Ffmpeg Ffmpeg ffmpeg

Tue, 31 Dec 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Dec 2024 14:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.
Title		Ffmpeg: null pointer dereference in ffmpeg hls parsing
Weaknesses		CWE-99
References		https://bugzilla.redhat.com/show_bug.cgi?id=2334335
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-12-31T14:20:10.690Z

Updated: 2025-08-21T16:04:01.868Z

Reserved: 2023-12-08T06:53:24.259Z

Link: CVE-2023-6603

Vulnrichment

Updated: 2024-12-31T14:59:25.344Z

NVD

Status : Modified

Published: 2024-12-31T15:15:07.490

Modified: 2025-08-21T16:15:30.363

Link: CVE-2023-6603

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-6603", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-12-08T06:53:24.259Z", "datePublished": "2024-12-31T14:20:10.690Z", "dateUpdated": "2025-08-21T16:04:01.868Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/FFmpeg/FFmpeg", "defaultStatus": "unknown", "packageName": "FFmpeg", "versions": [{"lessThan": "5.*", "status": "affected", "version": "3.0", "versionType": "semver"}]}], "datePublic": "2024-02-26T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Moderate"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-08-21T16:04:01.868Z"}, "references": [{"name": "RHBZ#2334335", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334335"}], "timeline": [{"lang": "en", "time": "2023-12-06T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-26T00:00:00+00:00", "value": "Made public."}], "title": "Ffmpeg: null pointer dereference in ffmpeg hls parsing", "x_redhatCweChain": "CWE-476: NULL Pointer Dereference"}, "adp": [{"references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334335", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-31T14:59:14.747627Z", "id": "CVE-2023-6603", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-31T14:59:30.313Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-6603", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-31T14:59:14.747627Z"}}}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334335", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-31T14:59:25.344Z"}}], "cna": {"title": "Ffmpeg: null pointer dereference in ffmpeg hls parsing", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "3.0", "lessThan": "5.*", "versionType": "semver"}], "packageName": "FFmpeg", "collectionURL": "https://github.com/FFmpeg/FFmpeg", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2023-12-06T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-26T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-02-26T00:00:00.000Z", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334335", "name": "RHBZ#2334335", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2025-08-21T16:04:01.868Z"}, "x_redhatCweChain": "CWE-476: NULL Pointer Dereference"}}, "cveMetadata": {"cveId": "CVE-2023-6603", "state": "PUBLISHED", "dateUpdated": "2025-08-21T16:04:01.868Z", "dateReserved": "2023-12-08T06:53:24.259Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-12-31T14:20:10.690Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE670466-3267-48D2-A826-99B23F7FBD12", "versionEndIncluding": "6.0", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en FFmpeg's HLS playlist parsing. Esta vulnerabilidad permite una denegaci\u00f3n de servicio a trav\u00e9s de una lista de reproducci\u00f3n HLS manipulada con fines malintencionados que desencadena una desreferencia de puntero nulo durante la inicializaci\u00f3n."}], "id": "CVE-2023-6603", "lastModified": "2025-08-21T16:15:30.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-12-31T15:15:07.490", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334335"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334335"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}