CVE-2022-30976 — Out-of-bounds Read in Gpac

CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 53.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gpac Debian Gpac

Timeline

PublishedMay 18

Latest updateMay 19

Description

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages2 packages

▶NVDgpac/gpac2.0.0

▶debiandebian/gpac

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-mf78-vf74-9qc5: GPAC 2↗2022-05-19

▶

OSV

CVE-2022-30976: GPAC 2↗2022-05-18

▶

📋Vendor Advisories

Debian

CVE-2022-30976: gpac - GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) functi...↗2022

▶