CVE-2025-12343: ffmpeg security flaw enables

CISO Take

CVE-2025-12343 is a medium-severity DoS vulnerability in FFmpeg's TensorFlow DNN backend affecting AI/ML media processing pipelines. The local attack vector and required user interaction significantly limit real-world exploitability, but automated media ingestion pipelines effectively eliminate the 'user interaction' barrier. Patch FFmpeg in any environment using TensorFlow-based DNN inference for video/audio processing, and validate that untrusted media files cannot reach FFmpeg's DNN backend directly.

What is the risk?

Risk is LOW-MEDIUM in practice. CVSS 5.5 reflects the local attack vector (AV:L) and required user interaction (UI:R), which together constrain exploitability. No privilege escalation or code execution is possible — impact is pure availability (A:H). However, in automated AI/ML media processing pipelines (e.g., video content analysis, computer vision preprocessing), the 'user interaction' constraint is functionally irrelevant as the pipeline processes files autonomously. Exposure increases significantly in architectures where untrusted media files feed directly into FFmpeg-based DNN inference. Not in CISA KEV; no active exploitation reported.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ffmpeg	—	—	No patch

Do you use ffmpeg? You're affected.

How severe is it?

CVSS 3.1

5.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C None

I None

A High

What should I do?

6 steps

Inventory FFmpeg versions across AI/ML infrastructure, particularly in media preprocessing and computer vision pipelines.
Apply available vendor patches from RedHat (CVE-2025-12343 advisory); monitor upstream FFmpeg for official patch version.
If patching is not immediately possible, disable FFmpeg's TensorFlow DNN backend (dnn_backend_tf) in non-essential workloads.
Implement input validation and sandboxing for media files processed through FFmpeg — run FFmpeg in isolated containers with resource limits to contain crash impact.
Add crash monitoring and alerting on FFmpeg processes in AI/ML pipelines (unexpected exits, OOM signals).
In automated pipelines, enforce file-type and content validation upstream before DNN processing.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass DoS Framework RAG Model AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System Art.15 - Accuracy, robustness and cybersecurity of high-risk AI systems

ISO 42001

A.6.2.6 - AI System Availability and Resilience A.9.3 - AI system performance and robustness

NIST AI RMF

GOVERN 6.1 - Third-party AI risks are managed MANAGE 2.4 - Residual risks are addressed and treated RMF-MANAGE-2.4 - Residual risks and system reliability RMF-MAP-5.1 - Likelihood and magnitude of impacts from AI risks

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-12343?

CVE-2025-12343 is a medium-severity DoS vulnerability in FFmpeg's TensorFlow DNN backend affecting AI/ML media processing pipelines. The local attack vector and required user interaction significantly limit real-world exploitability, but automated media ingestion pipelines effectively eliminate the 'user interaction' barrier. Patch FFmpeg in any environment using TensorFlow-based DNN inference for video/audio processing, and validate that untrusted media files cannot reach FFmpeg's DNN backend directly.

Is CVE-2025-12343 actively exploited?

No confirmed active exploitation of CVE-2025-12343 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-12343?

1. Inventory FFmpeg versions across AI/ML infrastructure, particularly in media preprocessing and computer vision pipelines. 2. Apply available vendor patches from RedHat (CVE-2025-12343 advisory); monitor upstream FFmpeg for official patch version. 3. If patching is not immediately possible, disable FFmpeg's TensorFlow DNN backend (dnn_backend_tf) in non-essential workloads. 4. Implement input validation and sandboxing for media files processed through FFmpeg — run FFmpeg in isolated containers with resource limits to contain crash impact. 5. Add crash monitoring and alerting on FFmpeg processes in AI/ML pipelines (unexpected exits, OOM signals). 6. In automated pipelines, enforce file-type and content validation upstream before DNN processing.

What systems are affected by CVE-2025-12343?

This vulnerability affects the following AI/ML architecture patterns: media processing pipelines, computer vision preprocessing, training data pipelines, model serving with FFmpeg integration, multimodal AI ingestion pipelines, video content moderation systems.

What is the CVSS score for CVE-2025-12343?

CVE-2025-12343 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

media processing pipelinescomputer vision preprocessingtraining data pipelinesmodel serving with FFmpeg integrationmultimodal AI ingestion pipelinesvideo content moderation systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9, Art.15

ISO 42001: A.6.2.6, A.9.3

NIST AI RMF: GOVERN 6.1, MANAGE 2.4, RMF-MANAGE-2.4, RMF-MAP-5.1

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A flaw was found in FFmpeg’s TensorFlow backend within the libavfilter/dnn_backend_tf.c source file. The issue occurs in the dnn_execute_model_tf() function, where a task object is freed multiple times in certain error-handling paths. This redundant memory deallocation can lead to a double-free condition, potentially causing FFmpeg or any application using it to crash when processing TensorFlow-based DNN models. This results in a denial-of-service scenario but does not allow arbitrary code execution under normal conditions.

Exploitation Scenario

An adversary targeting an AI-powered media analysis service (e.g., automated video moderation, content classification) uploads a specially crafted media file designed to trigger error-handling paths in FFmpeg's TensorFlow DNN backend. When the pipeline calls dnn_execute_model_tf() to run inference on the file, the double-free is triggered, crashing the FFmpeg worker process. In a poorly isolated architecture, this crash propagates to the inference service, causing repeated DoS against the AI pipeline. An adversary can automate this by bulk-uploading malicious files, causing sustained service disruption with minimal effort and no elevated privileges.

Weaknesses (CWE)

CWE-415 Double Free

CWE-415 — Double Free: The product calls free() twice on the same memory address.

[Architecture and Design] Choose a language that provides automatic memory management.
[Implementation] Ensure that each allocation is freed only once. After freeing a chunk, set the pointer to NULL to ensure the pointer cannot be freed again. In complicated error conditions, be sure that clean-up routines respect the state of allocation properly. If the language is object oriented, ensure that object destructors delete each chunk of memory only once.

Source: MITRE CWE corpus.