Impact
A stack overflow occurs when Bento4's AP4_StsdAtom constructor processes the 'stsd' atom of an MP4 file. The overflow can overwrite return pointers on the stack, causing the application that uses Bento4 to crash. The immediate effect is a denial of service, as the program terminates when it encounters a malformed MP4. The weakness aligns with CWE-121 (Stack-based Buffer Overflow).
Affected Systems
All versions of Bento4 prior to 1.8.9 are affected. Software that embeds Bento4 to parse or manipulate MP4 containers—such as media players, video transcoding tools, and other libraries that rely on Bento4 for validation or manipulation of MP4 data—is at risk. The vulnerability is independent of the host environment, as it is triggered by a crafted MP4 payload processed by the library.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate impact when the vulnerability leads to a service interruption. The EPSS score of <1% suggests low current exploitation pressure. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, indicating no widespread active attacks have been documented. Based on the description, it is inferred that an attacker who can provide a specially crafted MP4 file—through an upload interface, network stream, or other entry point that invokes Bento4 parsing—can trigger the failure and cause a denial of service. No public exploit code has been reported, but the flaw could be exploited manually by constructing a malicious MP4 file and supplying it to a vulnerable application.
OpenCVE Enrichment