CVE-2024-35365: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg version n6.1.1 contains a double-free vulnerability in the fftools/ffmpegmuxinit.c component, specifically within the newstreamaudio function. The vulnerability was discovered and disclosed on January 3, 2025 (NVD, MITRE).

The vulnerability is classified as a double-free issue (CWE-415) in the FFmpeg's audio stream initialization code. The bug occurs when the MATCHPERSTREAM_OPT macro iterates over options and prematurely sets ost->apad, leading to potential double-free scenarios when an error occurs later in the execution. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

A double-free vulnerability can lead to memory corruption, potentially allowing attackers to execute arbitrary code, cause program crashes, or achieve denial of service conditions. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of affected systems (CISA-ADP).

The vulnerability has been fixed in FFmpeg through a patch that modifies the audio stream initialization code to use a temporary variable instead of directly setting ost->apad, and only performing strdup on non-NULL strings. Users should update to the patched version of FFmpeg (GitHub Commit).