CVE-2021-21841 — Integer Overflow to Buffer Overflow in Gpac

CWE-680 — Integer Overflow to Buffer Overflow CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-190 — Integer Overflow or Wraparound5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 51.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gpac Debian Gpac Debian Linux +11 more

Timeline

PublishedAug 25

Latest updateMay 24

Description

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when reading an atom using the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages14 packages

▶debiandebian/gpac< gpac 1.0.1+dfsg1-4+deb11u1 (bullseye)

▶Debiangpac/gpac< 1.0.1+dfsg1-4+deb11u1

▶NVDgpac/gpac1.0.1

▶msrcmsrc/microsoft_office_2016

▶msrcmsrc/microsoft_office_2019_for_mac

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

GHSA

GHSA-h7vg-p9j8-7vcw: An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1↗2022-05-24

▶

OSV

CVE-2021-21841: An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1↗2021-08-25

▶

📋Vendor Advisories

Microsoft

Microsoft Excel Remote Code Execution Vulnerability↗2022-01-11

▶

Debian

CVE-2021-21841: gpac - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding ...↗2021

▶