RUSTSEC-2025-0008

Openh264 Decoding Functions Heap Overflow Vulnerability

Reported

February 24, 2025

Issued

February 24, 2025

Package

openh264-sys2 (crates.io)

Type

INFO Notice

Categories

memory-corruption

Keywords

#openh264

References

https://github.com/cisco/openh264/pull/3818/

Related

CVE-2025-27091

Patched

>=0.8.0

Description

OpenH264 recently reported a heap overflow that was fixed in upstream 63db555 and integrated into our 0.6.6 release. For users relying on Cisco's pre-compiled DLL, we also published 0.8.0, which is compatible with their latest fixed DLL version 2.6.0.

In other words:

if you rely on our source feature only, >=0.6.6 should be safe,
if you rely on libloading, you must upgrade to 0.8.0 and use their latest DLL >=2.6.0.

Users handling untrusted video files should update immediately.

Advisory available under CC0-1.0 license.