{"id":"CVE-2019-9718","details":"In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf.","modified":"2026-04-11T15:27:37.111715Z","published":"2019-03-12T09:29:00.530Z","related":["SUSE-SU-2019:3184-1","SUSE-SU-2019:3184-2"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/107382"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/May/60"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3967-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4449"},{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/23ccf3cabb4baf6e8af4b1af3fcc59c904736f21"},{"type":"FIX","url":"https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.ffmpeg.org/ffmpeg.git","events":[{"introduced":"0"},{"fixed":"1f00c97bc3475c477f3c468cf2d924d5761d0982"}]},{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"last_affected":"340cea9f22c162e10d120835661e132721b7454b"},{"introduced":"0"},{"last_affected":"3c1ecb057d7621e57968624aa15ad3e9efc819f7"},{"fixed":"23ccf3cabb4baf6e8af4b1af3fcc59c904736f21"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.2"},{"introduced":"0"},{"last_affected":"4.1"}]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2","n3.2-dev","n3.2.1","n3.2.10","n3.2.11","n3.2.12","n3.2.13","n3.2.2","n3.2.3","n3.2.4","n3.2.5","n3.2.6","n3.2.7","n3.2.8","n3.2.9","n3.3-dev","n3.4-dev","n3.5-dev","n4.1-dev","n4.2-dev"],"database_specific":{"vanir_signatures_modified":"2026-04-11T15:27:37Z","vanir_signatures":[{"target":{"function":"ff_htmlmarkup_to_ass","file":"libavcodec/htmlsubtitles.c"},"id":"CVE-2019-9718-755ab778","signature_type":"Function","deprecated":false,"digest":{"length":3632,"function_hash":"134429341697870814247987316111924007456"},"source":"https://github.com/ffmpeg/ffmpeg/commit/23ccf3cabb4baf6e8af4b1af3fcc59c904736f21","signature_version":"v1"},{"target":{"file":"libavcodec/htmlsubtitles.c"},"id":"CVE-2019-9718-da1a4911","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["146229409084369695006291932218330531278","186871920662715219977446106701134555870","310562769026243982809424482522257025845","34344457376983665913898773828430549216","260166848363255873671710857472511837215","80024346695892532889397988976103392180","202968329324838149850240999019982554458"],"threshold":0.9},"source":"https://github.com/ffmpeg/ffmpeg/commit/23ccf3cabb4baf6e8af4b1af3fcc59c904736f21","signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-9718.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}