[FFmpeg-user] ffmpeg 4.4.1 security issue

Moritz Barsnick barsnick at gmx.net
Thu Jan 6 18:06:41 EET 2022

On Thu, Jan 06, 2022 at 13:12:51 +0000, FFmpeg user discussions wrote:
> I am currently a data scientist at USAA. I was trying to use FFMPEG 4.4.1 to convert spex audio files to wav audio format.
> My security team denied the download of the package, and here is the following explanation that they gave:
> DOWNLOAD DENIED: Muliple known vulnerabilities like CVE-2021-38171
> I was wondering how I can get this fixed or if it is already fixed in a later version?

The fix is mentioned in the CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-38171):


It was ported to the 4.4 branch here:


and that is contained in release 4.4.1, as far as I can tell (by "git tag --contains

So the CVE refers to version 4.4, and version 4.4.1 fixes this and is
therefore not affected, AFAICT.

You'll have to have your security team check 4.4.1. You may need to
check each CVE separately (they mention "multiple known
vulnerabilities"). If in doubt, disable the affected feature (as in
this case: the ADTS muxer).

Hope this helps,

More information about the ffmpeg-user mailing list