Impact
This vulnerability is a heap buffer overflow located in the gf_isom_vp_config_new function within the isomedia/avc_ext.c component of GPAC MP4Box. Exploiting the flaw requires presenting a specially crafted MP4 file that triggers the overflow, resulting in a crash of the application and a denial of service. The weakness is classified as CWE-122, indicating that it is a heap-based buffer overflow and poses a loss of availability rather than compromising confidentiality or integrity.
Affected Systems
The issue affects the GPAC MP4Box media toolkit, specifically version 2.4 and potentially earlier releases that include the unpatched isomedia/avc_ext.c code. Users who rely on this version to decode or process MP4 files are at risk when handling untrusted media.
Risk and Exploitability
The CVSS score of 5.5 reflects a moderate risk stemming from a local or remote attack that requires the victim to open or otherwise process a malicious MP4 file. The EPSS score of less than 1% suggests that active exploitation is unlikely at this time, and the vulnerability is not listed in CISA's KEV catalog. However, an attacker could still leverage the flaw to repeatedly crash MP4Box on affected machines, potentially disrupting services or user experience. Because the flaw does not grant code execution or privilege escalation, the threat surface remains confined to denial of service.
OpenCVE Enrichment