Description
A vulnerability was detected in CCExtractor up to 0.96.5. Affected is the function processmp4 in the library src/lib_ccx/mp4.c. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 0.96.6 is able to address this issue. The patch is named fd7271bae238ccb3ae8a71304ea64f0886324925. You should upgrade the affected component.
Published: 2026-02-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use After Free in CCExtractor library
Action: Patch
AI Analysis

Impact

CCExtractor’s processmp4 function in mp4.c contains a use‑after‑free flaw that arises after certain manipulations of MP4 data. When triggered, the vulnerability can cause the program to access freed memory, which may corrupt data, crash the process, or potentially allow an attacker to execute arbitrary code. The weakness is a classic memory safety issue (CWE‑119 and CWE‑416).

Affected Systems

CCExtractor is the affected vendor and product. Versions up to and including 0.96.5 contain the flaw; version 0.96.6 contains the remediation in commit fd7271bae238ccb3ae8a71304ea64f0886324925. Tools or services that embed or run CCExtractor locally are therefore vulnerable.

Risk and Exploitability

The CVSS score of 4.8 indicates a low severity based on current metrics, and the EPSS score of less than 1% signals a very low probability of exploitation at present. The vulnerability is only exploitable with local access, but the exploit code is publicly available, meaning any user who runs CCExtractor with local privileges could potentially trigger the bug. The issue is not listed in the CISA KEV catalog, but the active public exploit elevates the risk to administrators who must act promptly.

Generated by OpenCVE AI on April 18, 2026 at 11:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CCExtractor to version 0.96.6 or later to apply the vendor patch
  • Limit local execution of CCExtractor to trusted users or restrict privileges to reduce attack surface
  • Run CCExtractor within an isolated environment such as a container or sandbox to contain potential memory corruption

Generated by OpenCVE AI on April 18, 2026 at 11:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ccextractor
Ccextractor ccextractor
Vendors & Products Ccextractor
Ccextractor ccextractor

Sat, 21 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in CCExtractor up to 0.96.5. Affected is the function processmp4 in the library src/lib_ccx/mp4.c. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 0.96.6 is able to address this issue. The patch is named fd7271bae238ccb3ae8a71304ea64f0886324925. You should upgrade the affected component.
Title CCExtractor mp4.c processmp4 use after free
Weaknesses CWE-119
CWE-416
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ccextractor Ccextractor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:29:40.587Z

Reserved: 2026-02-20T17:14:28.102Z

Link: CVE-2026-2889

cve-icon Vulnrichment

Updated: 2026-02-23T19:29:34.642Z

cve-icon NVD

Status : Deferred

Published: 2026-02-21T22:15:59.353

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses