libdav1d CVEs in Older Decoder Versions

This article provides a concise overview of the Common Vulnerabilities and Exposures (CVEs) associated with older versions of libdav1d, the popular open-source AV1 video decoder. It details specific historical security flaws, including memory corruption and denial-of-service risks, and outlines how these vulnerabilities impact software relying on the library.

libdav1d is an extremely fast, cross-platform AV1 decoder developed by VideoLAN and the VideoLAN project community. Because it is written primarily in C and assembly to maximize performance, older versions of the library have historically been susceptible to memory safety issues. Software developers integrate libdav1d into web browsers, media players, and operating systems, meaning vulnerabilities within the library can have widespread downstream effects.

Several notable CVEs have been documented for older versions of libdav1d:

• CVE-2020-22037: This vulnerability involved a heap-buffer-overflow in the decoder’s AVX2 acceleration functions (specifically within ipred_tmpl.c). Attackers could exploit this flaw by forcing the library to process a maliciously crafted AV1 video file, potentially leading to application crashes or arbitrary code execution.
• CVE-2021-30018: Discovered in versions prior to 0.8.2, this issue stemmed from a null pointer dereference during thread allocation. It allowed remote attackers to cause a denial of service (application crash) via a specifically crafted video payload.
• CVE-2022-38171: Affecting versions before 1.0.0, this vulnerability resulted from an out-of-bounds write flaw in the memory alignment functions (dav1d_memalign). Exploitation of this bug could lead to memory corruption, instability, or unauthorized code execution.

The primary impact of these vulnerabilities is client-side exploitation. Since libdav1d is commonly used in web browsers (such as Firefox and Chrome) and media engines to decode streaming video, an attacker could host a malicious AV1 file on a website. When a user with an outdated browser or media player attempts to play the video, the vulnerability triggers, resulting in a application crash (Denial of Service) or, in worse cases, remote code execution on the user’s system.

To mitigate these security risks, developers and system administrators must ensure that libdav1d is regularly updated to the latest stable release. The VideoLAN development team actively patches these memory-related bugs in newer versions, making upgrading the most effective defense against known exploits.