CVE-2021-21848Integer Overflow to Buffer Overflow in Gpac

CWE-680Integer Overflow to Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-190Integer Overflow or Wraparound4 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 52.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GpacDebian GpacDebian Linux
Timeline
PublishedAug 25
Latest updateMay 24

Description

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The library will actually reuse the parser for atoms with the “stsz” FOURCC code when parsing atoms that use the “stz2” FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

debiandebian/gpac< gpac 1.0.1+dfsg1-4+deb11u1 (bullseye)
Debiangpac/gpac< 1.0.1+dfsg1-4+deb11u1
NVDgpac/gpac1.0.1

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

2
GHSA
GHSA-q7q4-gw8j-595q: An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v12022-05-24
OSV
CVE-2021-21848: An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v12021-08-25

📋Vendor Advisories

1
Debian
CVE-2021-21848: gpac - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding ...2021
CVE-2021-21848 — Integer Overflow to Buffer Overflow | cvebase