Summary: Cisco has issued a security advisory for a high-severity vulnerability in the OpenH264 codec library, tracked as CVE-2025-27091, which could enable remote code execution through a heap overflow. The vulnerability arises from a race condition during the memory allocation in the decoding functions. Users are advised to upgrade to OpenH264 version 2.6.0 or later to mitigate risks.
Affected: OpenH264 versions 2.5.0 and earlier
Keypoints :
- Vulnerability tracked as CVE-2025-27091 with a CVSSv4 score of 8.6.
- Exploitation involves a crafted bitstream leading to a heap overflow and potential arbitrary code execution.
- Fixed in OpenH264 software releases 2.6.0 and later; users should upgrade urgently.