OpenH264: Vulnerability in Cisco's video codec jeopardizes Firefox
A vulnerability in Cisco's video codec OpenH264 allows attackers to smuggle in malicious code. Firefox is also at risk.
Manipulated video clips can trick victims with malware.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
The open-source video codec OpenH264 is affected by a serious security vulnerability. Attackers can misuse it to infect victims with malicious code.
Cisco has published a security announcement on the Github project and discusses the details. Attackers from the network can provoke a heap-based buffer overflow without prior authentication. This is due to a race condition in the processing of video streams. Attackers can abuse this with a carefully prepared bitstream –, i.e. a manipulated video file –, which they only need to trick victims into viewing in order to "trigger an unexpected crash in the victim's decoding client and possibly execute arbitrary commands on the victim's computer by abusing the overflow" (CVE-2025-27091, CVSS 8.6, risk"high").
OpenH264: All modes affected
OpenH264 supports Scalable Video Coding (SVC), in which videos are encoded at multiple bit rates, and Advanced Video Coding (AVC) mode for the individual video streams. The vulnerability occurs in both modes.
The vulnerability affects OpenH264 version 2.5.0 and older. Version 2.6.0, which no longer contains the vulnerability, is now available on Github.
Videos by heise
Firefox vulnerable
The Firefox web browser has included Cisco's OpenH264 as a fall-back solution since version Firefox 33 was released in 2014. The Mozilla Foundation explains in a support article that the codec in the browser is used to enable WebRTC streams such as video calls even if no H264 codec is available in the operating system. As examples, Mozilla mentions the Windows N versions, which come without such codecs, or Linux distributions such as Ubuntu, which first have to install such codecs from special repositories such as "ubuntu-restricted-extras".
(Image:Â Screenshot / dmk)
The menu item "Plugins" can be found in the settings menu under "Add-ons and Themes". Clicking on "OpenH264" enables settings and displays the version currently supplied. OpenH264 version 2.3.2 is currently on board in Firefox 135.0.1, from July 2023. However, by clicking on the three dots to the right of the "OpenH264" heading, interested parties can switch the option to "Never activate" until a bug-fixed, non-vulnerable library version for Firefox is delivered.
Mozilla answered to our question about this issue: "We are aware that the OpenH264 plugin used by Firefox is currently outdated. Although we have no indication that this represents a security issue for users because the plugin is run inside our extensive sandboxing mechanisms as a measure to protect users in similar cases, we are working on an update."
(dmk)
