Cisco has released a security advisory concerning a high-severity vulnerability in the OpenH264 codec library. Tracked as CVE-2025-27091 and assigned a CVSSv4 score of 8.6, this vulnerability could allow remote attackers to trigger a heap overflow, potentially leading to arbitrary code execution.
The vulnerability stems from a race condition in the decoding functions of the OpenH264 library. This race condition occurs between the allocation of memory for a Sequence Parameter Set (SPS) and the subsequent usage of this memory for a non-Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit.
An attacker could exploit this vulnerability by crafting a malicious bitstream and inducing a victim to process a video containing this bitstream. This could lead to an unexpected crash in the victim’s decoding client and, in some cases, allow the attacker to execute arbitrary commands on the victim’s host.
“An exploit could allow the attacker to cause an unexpected crash in the victim’s user decoding client and, possibly, perform arbitrary commands on the victim’s host by abusing the heap overflow,” reads the security advisory.
This vulnerability affects OpenH264 versions 2.5.0 and earlier in both Scalable Video Coding (SVC) and Advanced Video Coding (AVC) modes.
Cisco has addressed this vulnerability in OpenH264 software releases 2.6.0 and later. Users are strongly encouraged to upgrade to a fixed version to mitigate the risk associated with CVE-2025-27091.
