CVE-2024-35366 is an integer overflow vulnerability identified in FFmpeg version 6.1.1, located in the parse_options function within sbgdec.c of the libavformat module. The vulnerability stems from inadequate input validation when parsing certain options, specifically allowing negative duration values to bypass bounds checking. This flaw corresponds to CWE-190 (Integer Overflow or Wraparound). Exploiting this vulnerability can lead to memory corruption, potentially enabling an attacker to disrupt the normal operation of the software or execute arbitrary code. The vulnerability is remotely exploitable without requiring privileges or user interaction, as it can be triggered by processing specially crafted media files or streams containing malicious options. The CVSS v3.1 base score is 9.1, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits are currently known, the nature of FFmpeg as a widely used multimedia framework in numerous applications and platforms increases the risk of exploitation. The vulnerability affects any system using the vulnerable FFmpeg version for media decoding or streaming, making it a significant concern for media servers, streaming platforms, and software relying on FFmpeg libraries.

The potential impact of CVE-2024-35366 is substantial for organizations worldwide that utilize FFmpeg for media processing, streaming, or content delivery. Successful exploitation can lead to arbitrary code execution or denial of service, compromising system integrity and availability. This can disrupt critical media services, cause data corruption, or allow attackers to gain control over affected systems. Given FFmpeg's integration in many software products, including video players, streaming servers, and content management systems, the vulnerability poses a broad attack surface. Organizations in media, entertainment, telecommunications, and cloud service providers are particularly at risk. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation once a public exploit emerges. The vulnerability could also be leveraged as a pivot point for further network compromise, especially in environments where FFmpeg is part of larger multimedia processing pipelines.

To mitigate CVE-2024-35366, organizations should immediately identify and inventory all systems and applications using FFmpeg version 6.1.1 or earlier. Although no official patch links are currently provided, monitoring FFmpeg project updates for security patches is critical. In the interim, restrict processing of untrusted or unauthenticated media inputs, especially those that could contain malicious options triggering the vulnerability. Employ input validation and sanitization at application layers before passing data to FFmpeg. Implement network-level protections such as filtering and sandboxing media processing components to limit potential damage from exploitation. Use application whitelisting and runtime protections (e.g., DEP, ASLR) to reduce exploit success. Additionally, monitor logs and network traffic for anomalies indicative of exploitation attempts. Engage with vendors and software maintainers to ensure timely updates and consider temporary disabling or isolating vulnerable FFmpeg components if feasible.