LiveActive security incident?Get immediate response
CVE Record

CVE-2014-125002: FFmpeg dnxhdenc.c dnxhd_init_rc memory corruption

A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is the function dnxhd_init_rc of the file libavcodec/dnxhdenc.c. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue.

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's Takemoderate

Analyst readout for executives and security teams

Plain-English summary

CVE-2014-125002 is a memory corruption issue in FFmpeg 2.0 affecting DNxHD encoding code. For businesses, the main concern is service disruption in systems that process media using this old FFmpeg version. The public bundle does not show confirmed active exploitation.

Executive priority

Handle as a moderate legacy exposure issue. It is not currently supported by evidence of active exploitation, but media-processing services can be business-critical and often process untrusted content. Prioritize discovery and patch confirmation over emergency response.

Technical view

The vulnerability affects dnxhd_init_rc in libavcodec/dnxhdenc.c in FFmpeg 2.0. It is classified as CWE-119 memory corruption with CVSS 3.1 score 5.3. The vector indicates remote, unauthenticated reachability, no user interaction, and low availability impact only.

Likely exposure

Exposure is most likely in legacy media pipelines, transcoding services, appliances, or applications embedding FFmpeg 2.0 and handling DNxHD or general media processing. The source data names FFmpeg 2.0 only and does not provide CPEs or downstream vendor product lists.

Exploitation context

The CVE source says remote attack is possible, but KEV is false and the bundle contains no cited evidence of active exploitation. Treat exploit maturity as unconfirmed. The practical risk depends on whether vulnerable FFmpeg code is reachable through exposed media processing workflows.

Researcher notes

Evidence is sparse: affected product is FFmpeg 2.0, the impacted function is identified, and a patch reference is provided. No exploit details, affected downstream products, CPEs, or operational mitigations are included in the source bundle.

Mitigation direction

  • Inventory FFmpeg versions across servers, containers, appliances, and bundled applications.
  • Prioritize replacing or patching FFmpeg 2.0 where found.
  • Review the referenced FFmpeg commit and vendor guidance before patch deployment.
  • Ask downstream product vendors whether they embed affected FFmpeg code.
  • Reduce exposure of untrusted media processing until remediation is confirmed.

Validation and detection

  • Check runtime and packaged FFmpeg versions for 2.0 indicators.
  • Confirm whether libavcodec/dnxhdenc.c is present in deployed builds.
  • Verify vendor or source patch status against the referenced commit.
  • Review media ingestion paths that accept untrusted remote content.
  • Document systems where FFmpeg is embedded but version visibility is limited.
Prepared
Confidence
medium
Sources
4

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-119: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2014-125002 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L3.91.4Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2014-125002Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
unspecifiedFFmpeg2.0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-119 · source CWE mapping

Improper Restriction of Operations within the Bounds of a Memory Buffer

Improper Restriction of Operations within the Bounds of a Memory Buffer represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.