CVE-2026-40962: FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data

Description

FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c.

Affected Products

Vendor	Product	Versions
ffmpeg	ffmpeg	4.1

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	ffmpeg	cert_advisory	90%

References

https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22348

Related News (2 articles)

Tier B

BSI Advisories3d ago

[NEU] [mittel] ffmpeg: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2026-40962 | FFmpeg up to 8.0 libavformat/mov.c integer overflow

→ No new info (linked only)

CVSS 3.14.9 MEDIUM

VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

8.1

CWECWE-190

PublishedApr 16, 2026

Last enriched4d agov2

Trending Score29

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 4d ago

v2Tier C4d ago

Updated vendor to FFmpeg, affected versions to include 8.0, changed severity to HIGH, marked as actively exploited, and noted that no exploit is available.

vendoraffectedVersionsseverityactivelyExploited

via VulDB

v14d ago

Initial creation

CVE-2026-40962: FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data

Description

Affected Products

Also Affects

References

Related News (2 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History