Search for vulnerabilities
Vulnerability details: VCID-28q2-kc62-nqad
Vulnerability ID VCID-28q2-kc62-nqad
Aliases CVE-2024-36615
Summary FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread.
Status Published
Exploitability 0.5
Weighted Severity 5.3
Risk 2.6
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-36615
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.9 https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb
ssvc Track https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb
cvssv3.1 5.9 https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738
ssvc Track https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738
cvssv3.1 5.9 https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
ssvc Track https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-36615
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36615
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
0ba058579f332b3060d8470a04ddd3fbf305be61 https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
c44e5eaafa8f408eea0c9411205990fb https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb
cpe:2.3:a:ffmpeg:ffmpeg:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:ffmpeg:ffmpeg:7.0:*:*:*:*:*:*:*
CVE-2024-36615 https://nvd.nist.gov/vuln/detail/CVE-2024-36615
vp9.c#L1738 https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:22:10Z/ Found at https://gist.github.com/1047524396/c44e5eaafa8f408eea0c9411205990fb
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:22:10Z/ Found at https://github.com/FFmpeg/FFmpeg/blob/n7.0/libavcodec/vp9.c#L1738
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:22:10Z/ Found at https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
Exploit Prediction Scoring System (EPSS)
Percentile 0.20615
EPSS Score 0.00065
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:00:14.652521+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/36xxx/CVE-2024-36615.json 37.0.0