CVE-2024-1580 — MEDIUM (5.9)

Q: How severe is CVE-2024-1580?

CVE-2024-1580 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-1580?

Check the references section above for vendor advisories and patch information. Affected products include: Videolan Dav1D, Apple Safari, Apple Ipados, Apple Iphone Os, Apple Macos.

Vulnerability Description

An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Videolan	Dav1D	< 1.4.0
Apple	Safari	< 17.4.1
Apple	Ipados	< 16.7.7
Apple	Iphone Os	< 16.7.7
Apple	Macos	>= 13.0, < 13.6.6
Apple	Visionos	< 1.1.1
Fedoraproject	Fedora	40

Related Weaknesses (CWE)

CWE-190

References

http://seclists.org/fulldisclosure/2024/Mar/36Mailing List
http://seclists.org/fulldisclosure/2024/Mar/37Mailing List
http://seclists.org/fulldisclosure/2024/Mar/38Mailing List
http://seclists.org/fulldisclosure/2024/Mar/39Mailing List
http://seclists.org/fulldisclosure/2024/Mar/40Mailing List
http://seclists.org/fulldisclosure/2024/Mar/41Mailing List
https://code.videolan.org/videolan/dav1d/-/blob/master/NEWSRelease Notes
https://code.videolan.org/videolan/dav1d/-/releases/1.4.0Release Notes
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://support.apple.com/kb/HT214093Third Party Advisory
https://support.apple.com/kb/HT214094Third Party Advisory
https://support.apple.com/kb/HT214095Third Party Advisory
https://support.apple.com/kb/HT214096Third Party Advisory
https://support.apple.com/kb/HT214097Third Party Advisory
https://support.apple.com/kb/HT214098Third Party Advisory

FAQ

What is CVE-2024-1580?

CVE-2024-1580 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0...

How severe is CVE-2024-1580?

CVE-2024-1580 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-1580?

Check the references section above for vendor advisories and patch information. Affected products include: Videolan Dav1D, Apple Safari, Apple Ipados, Apple Iphone Os, Apple Macos.