{"api_version":"1","generated_at":"2026-05-05T14:12:25+00:00","cve":"CVE-2018-1999013","urls":{"html":"https://cve.report/CVE-2018-1999013","api":"https://cve.report/api/cve/CVE-2018-1999013.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1999013","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1999013"},"summary":{"title":"CVE-2018-1999013","description":"FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains a use-after-free vulnerability in the realmedia demuxer that can result in vulnerability allows attacker to read heap memory. This attack appear to be exploitable via specially crafted RM file has to be provided as input. This vulnerability appears to have been fixed in a7e032a277452366771951e29fd0bf2bd5c029f0 and later.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-07-23 15:29:00","updated_at":"2018-09-20 16:21:00"},"problem_types":["CWE-416"],"metrics":[],"references":[{"url":"https://github.com/FFmpeg/FFmpeg/commit/a7e032a277452366771951e29fd0bf2bd5c029f0","name":"https://github.com/FFmpeg/FFmpeg/commit/a7e032a277452366771951e29fd0bf2bd5c029f0","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_rea… · FFmpeg/FFmpeg@a7e032a · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/104896","name":"104896","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"FFmpeg Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1999013","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1999013","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1999013","vulnerable":"1","versionEndIncluding":"4.0.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ffmpeg","cpe5":"ffmpeg","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-1999013","qid":"500902","title":"Alpine Linux Security Update for ffmpeg"},{"cve":"CVE-2018-1999013","qid":"502272","title":"Alpine Linux Security Update for ffmpeg4"},{"cve":"CVE-2018-1999013","qid":"504745","title":"Alpine Linux Security Update for ffmpeg"},{"cve":"CVE-2018-1999013","qid":"504763","title":"Alpine Linux Security Update for ffmpeg4"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","DATE_ASSIGNED":"2018-07-20T20:44:32.979447","DATE_REQUESTED":"2018-07-13T16:13:46","ID":"CVE-2018-1999013","REQUESTER":"paulcher@icloud.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains a use-after-free vulnerability in the realmedia demuxer that can result in vulnerability allows attacker to read heap memory. This attack appear to be exploitable via specially crafted RM file has to be provided as input. This vulnerability appears to have been fixed in a7e032a277452366771951e29fd0bf2bd5c029f0 and later."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"104896","refsource":"BID","url":"http://www.securityfocus.com/bid/104896"},{"name":"https://github.com/FFmpeg/FFmpeg/commit/a7e032a277452366771951e29fd0bf2bd5c029f0","refsource":"CONFIRM","url":"https://github.com/FFmpeg/FFmpeg/commit/a7e032a277452366771951e29fd0bf2bd5c029f0"}]}},"nvd":{"publishedDate":"2018-07-23 15:29:00","lastModifiedDate":"2018-09-20 16:21:00","problem_types":["CWE-416"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*","versionEndIncluding":"4.0.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1999013","Ordinal":"131242","Title":"CVE-2018-1999013","CVE":"CVE-2018-1999013","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1999013","Ordinal":"1","NoteData":"FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains a use-after-free vulnerability in the realmedia demuxer that can result in vulnerability allows attacker to read heap memory. This attack appear to be exploitable via specially crafted RM file has to be provided as input. This vulnerability appears to have been fixed in a7e032a277452366771951e29fd0bf2bd5c029f0 and later.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1999013","Ordinal":"2","NoteData":"2018-07-23","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1999013","Ordinal":"3","NoteData":"2018-07-27","Type":"Other","Title":"Modified"}]}}}