VulnerableCode Package Details - pkg:deb/debian/libvpx@1.9.0-1%2Bdeb11u3

Search for packages

Vulnerability	Summary	Fixed by
VCID-gw8f-56ya-fyaj Aliases: CVE-2025-5283	A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash.	1.12.0-1+deb12u3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gw8f-56ya-fyaj
Aliases:
CVE-2025-5283

A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash.

1.12.0-1+deb12u3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2xws-bjeg-3fg3	In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354	CVE-2019-9433
VCID-43gu-zkqh-fqdq	VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.	CVE-2023-44488
VCID-7du8-y7sz-cbf3	In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112001302	CVE-2019-9325
VCID-d9rh-3d4z-uuhv	In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483	CVE-2019-9232
VCID-p4cc-9c4p-qka4	A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than the originally configured size with VP9 may result in a heap overflow in libvpx. We recommend upgrading to version 1.13.1 or above	CVE-2023-6349
VCID-qq4y-61vn-pfdq	Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.	CVE-2023-5217 GHSA-qqvq-6xgj-jw8g
VCID-zats-61cs-r7a2	In libvpx, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132783254	CVE-2019-9371
VCID-zzv1-58zk-juge	There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond	CVE-2024-5197

Vulnerability

Summary

Aliases

VCID-2xws-bjeg-3fg3

In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354

CVE-2019-9433

VCID-43gu-zkqh-fqdq

VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.

CVE-2023-44488

VCID-7du8-y7sz-cbf3

In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112001302

CVE-2019-9325

VCID-d9rh-3d4z-uuhv

In libvpx, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122675483

CVE-2019-9232

VCID-p4cc-9c4p-qka4

A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than the originally configured size with VP9 may result in a heap overflow in libvpx. We recommend upgrading to version 1.13.1 or above

CVE-2023-6349

VCID-qq4y-61vn-pfdq

Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.

CVE-2023-5217
GHSA-qqvq-6xgj-jw8g

VCID-zats-61cs-r7a2

In libvpx, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-132783254

CVE-2019-9371

VCID-zzv1-58zk-juge

There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond

CVE-2024-5197

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T19:50:33.181835+00:00	Debian Oval Importer	Fixing	VCID-2xws-bjeg-3fg3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:36:32.561481+00:00	Debian Oval Importer	Fixing	VCID-7du8-y7sz-cbf3	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:32:38.453752+00:00	Debian Oval Importer	Fixing	VCID-zats-61cs-r7a2	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:16:58.311193+00:00	Debian Oval Importer	Fixing	VCID-p4cc-9c4p-qka4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T18:53:09.090934+00:00	Debian Oval Importer	Fixing	VCID-qq4y-61vn-pfdq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:10:36.305078+00:00	Debian Oval Importer	Fixing	VCID-d9rh-3d4z-uuhv	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:59:48.954638+00:00	Debian Oval Importer	Affected by	VCID-gw8f-56ya-fyaj	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T12:41:50.459595+00:00	Debian Oval Importer	Fixing	VCID-zzv1-58zk-juge	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T11:49:28.238490+00:00	Debian Oval Importer	Fixing	VCID-43gu-zkqh-fqdq	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0