CVE-2025-69693 is a memory safety vulnerability identified in the FFmpeg multimedia framework, specifically within the RV60 video decoder implementation (libavcodec/rv60dec.c). The root cause is an out-of-bounds read triggered by insufficient validation of the quantization parameter (qp) used during video decoding. The qp value is derived from a 6-bit frame header base value (maximum 63) plus an offset (+2), which can result in qp reaching 65. However, the rv60_qp_to_idx lookup array has only 64 entries (indices 0 to 63). The existing validation only checks if qp is less than zero but does not enforce an upper bound, allowing qp to exceed the array size. This leads to out-of-bounds array access at multiple code locations: decode_cbp8 (line 1554), decode_cbp16 (line 1655), and get_c4x4_set (lines 1419/1421). Such out-of-bounds reads can cause application crashes or potentially leak sensitive memory contents, depending on how the data is used. A previous patch fixed this issue for intra frames but did not cover other frame types, leaving the vulnerability present in released versions 8.0 and 8.0.1. The vulnerability was publicly disclosed in March 2026 and is fixed in the FFmpeg git master branch (commit 8abeb879df), slated for inclusion in FFmpeg 8.1. No known exploits have been reported in the wild, but the flaw poses a risk to any system processing RV60 video streams with the affected FFmpeg versions.

The vulnerability can lead to application crashes, causing denial of service in systems relying on FFmpeg for video decoding. More critically, the out-of-bounds read may allow attackers to disclose portions of memory, potentially exposing sensitive information processed by the application. Systems that decode untrusted or malicious RV60 video streams are at risk, including media players, streaming servers, video editing software, and any service embedding FFmpeg. Given FFmpeg's widespread use across many platforms and industries, the impact could be broad, affecting multimedia applications on desktops, servers, and embedded devices. Although no remote code execution is directly indicated, memory disclosure can aid attackers in further exploitation or reconnaissance. The lack of known exploits suggests limited current active threat, but the vulnerability's presence in recent FFmpeg releases means many deployments could be vulnerable if not updated. Organizations processing video content from untrusted sources are particularly at risk.

Organizations should upgrade FFmpeg to version 8.1 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, consider disabling RV60 codec support if not required, to eliminate exposure. Implement strict input validation and sandboxing around video decoding processes to contain potential crashes or memory leaks. Monitor for unusual application crashes or memory access errors in systems using FFmpeg 8.0 or 8.0.1. Employ runtime protections such as AddressSanitizer or similar memory safety tools during development and testing to detect out-of-bounds accesses. For critical environments, isolate video processing workloads and limit privileges of processes handling untrusted video streams. Stay informed on FFmpeg security advisories for any updates or emerging exploits related to this vulnerability.