Description
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Published: 2026-06-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs during the parsing of the MP4 'stsd' atom in Bento4’s AP4_StsdAtom::AP4_StsdAtom constructor. A maliciously crafted MP4 file can overflow the stack, causing the application to crash. The primary consequence is a denial of service, disrupting services that rely on Bento4 for video processing.

Affected Systems

The flaw exists in all installations of Bento4 prior to version 1.8.9, a widely used MP4 processing library. Systems that embed Bento4 to handle user‑supplied MP4 files are at risk, including media players, transcoding pipelines, and any application that relies on Bento4 for validation or manipulation of MP4 content.

Risk and Exploitability

No public exploit has been reported and the EPSS score is unavailable, indicating limited known exploitation activity. However, because the vulnerability is triggered by a specially crafted MP4 file, an attacker who can supply such a file to a vulnerable Bento4 instance—such as through a web upload, email attachment, or network stream—can execute the denial of service. The lack of KEV listing suggests the vulnerability has not yet been widely abused, but the risk remains for any environment that processes untrusted MP4 data.

Generated by OpenCVE AI on June 26, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bento4 to version 1.8.9 or later where the stack overflow is fixed
  • If an upgrade cannot be performed immediately, limit MP4 parsing to trusted sources and execute Bento4 in a sandboxed environment with restricted privileges
  • Introduce pre‑processing validation that checks MP4 file size and structure before calling the parser to reduce the likelihood of a stack overflow
  • Monitor application logs for abnormal terminations and implement failover mechanisms to maintain service availability

Generated by OpenCVE AI on June 26, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Stack overflow in Bento4 MP4 parser causes denial of service
Weaknesses CWE-119

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T21:23:06.373Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36907

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:30:05Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer