{"id":"CVE-2018-6548","details":"A use-after-free issue was discovered in libwebm through 2018-02-02. If a Vp9HeaderParser was initialized once before, its property frame_ would not be changed because of code in vp9parser::Vp9HeaderParser::SetFrame. Its frame_ could be freed while the corresponding pointer would not be updated, leading to a dangling pointer. This is related to the function OutputCluster in webm_info.cc.","modified":"2026-03-14T09:30:09.706244Z","published":"2018-02-02T09:29:00.850Z","references":[{"type":"REPORT","url":"https://bugs.chromium.org/p/webm/issues/detail?id=1493"},{"type":"EVIDENCE","url":"https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webmproject/libwebm","events":[{"introduced":"0"},{"last_affected":"82ac5fcdc8525820442faa90847b452113fc9394"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.0.27"}]}}],"versions":["libwebm-1.0.0.10","libwebm-1.0.0.11","libwebm-1.0.0.12","libwebm-1.0.0.13","libwebm-1.0.0.14","libwebm-1.0.0.15","libwebm-1.0.0.16","libwebm-1.0.0.17","libwebm-1.0.0.18","libwebm-1.0.0.19","libwebm-1.0.0.2","libwebm-1.0.0.20","libwebm-1.0.0.21","libwebm-1.0.0.22","libwebm-1.0.0.23","libwebm-1.0.0.24","libwebm-1.0.0.25","libwebm-1.0.0.26","libwebm-1.0.0.27","libwebm-1.0.0.3","libwebm-1.0.0.4","libwebm-1.0.0.5","libwebm-1.0.0.6","libwebm-1.0.0.7","libwebm-1.0.0.8","libwebm-1.0.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-6548.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}