CVE-2025-27091

Summary

CVE-2025-27091 is a vulnerability in OpenH264, a free license H.264 codec library. The issue lies in the decoding functions and involves a race condition between Sequence Parameter Set (SPS) memory allocation and non-Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An attacker can exploit this heap overflow vulnerability by crafting a malicious video bitstream and causing an unexpected crash or potentially executing arbitrary commands on the victim's host. Affecting releases 2.5.0 and earlier, both Scalable Video Coding (SVC) mode and Advanced Video Coding (AVC) mode are vulnerable. OpenH264 2.6.0 and later contain the fix for this vulnerability, and users are advised to upgrade with no known workarounds. Researchers Octavian Guzu and Andrew Calvano of Meta discovered the vulnerability, with fix ideation by Philipp Hancke and Shyam Sadhwani, and fix implementation by Benzheng Zhang.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.