Description
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack overflow occurs when Bento4's AP4_StsdAtom constructor processes the 'stsd' atom of an MP4 file. The overflow can overwrite return pointers on the stack, causing the application that uses Bento4 to crash. The immediate effect is a denial of service, as the program terminates when it encounters a malformed MP4. The weakness aligns with CWE-121 (Stack-based Buffer Overflow).

Affected Systems

All versions of Bento4 prior to 1.8.9 are affected. Software that embeds Bento4 to parse or manipulate MP4 containers—such as media players, video transcoding tools, and other libraries that rely on Bento4 for validation or manipulation of MP4 data—is at risk. The vulnerability is independent of the host environment, as it is triggered by a crafted MP4 payload processed by the library.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate impact when the vulnerability leads to a service interruption. The EPSS score of <1% suggests low current exploitation pressure. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, indicating no widespread active attacks have been documented. Based on the description, it is inferred that an attacker who can provide a specially crafted MP4 file—through an upload interface, network stream, or other entry point that invokes Bento4 parsing—can trigger the failure and cause a denial of service. No public exploit code has been reported, but the flaw could be exploited manually by constructing a malicious MP4 file and supplying it to a vulnerable application.

Generated by OpenCVE AI on June 29, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bento4 to version 1.8.9 or later, where the stack overflow bug is fixed.
  • Restrict the sources of MP4 files to trusted or controlled origins if upgrade is delayed.
  • Run Bento4 parsing in a sandboxed environment with restricted privileges to limit potential impact if an overflow occurs.
  • Pre‑validate MP4 files for size, format, and integrity before passing them to the parser to reduce the likelihood of a stack overrun.

Generated by OpenCVE AI on June 29, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomatic
Axiomatic bento4
Vendors & Products Axiomatic
Axiomatic bento4

Mon, 29 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Stack Overflow in Bento4's AP4_StsdAtom Allows Denial of Service via Crafted MP4

Mon, 29 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Stack overflow in Bento4 MP4 parser causes denial of service
Weaknesses CWE-119

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Stack overflow in Bento4 MP4 parser causes denial of service
Weaknesses CWE-119

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
References

Subscriptions

Axiomatic Bento4
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-29T13:03:27.492Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36907

cve-icon Vulnrichment

Updated: 2026-06-29T13:03:14.667Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:00:03Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow