Description
A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of Bento4 that can be triggered by a maliciously crafted MP4 file. This stack-based buffer overflow is compounded by an out-of-bounds write (CWE-121) that corrupts the stack, leading to a crash of the media processing application. The impact is a denial of service; no evidence indicates code execution or data disclosure, so the vulnerability primarily affects availability.

Affected Systems

Bento4 component from axiomatic‑systems used in media handling applications before version 1.8.9. Any software that incorporates this library to parse or write MP4 files is potentially affected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is below 1%, implying a low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the vulnerability can be triggered remotely by delivering a crafted MP4 file to an application that processes media using Bento4. This requires the application to accept external media input; if that condition is met, a remote attacker could invoke the stack overflow and cause a DoS. If the application does not accept untrusted files, local exploitation would be required. The impact is service interruption with no evidence of data confidentiality or integrity breach.

Generated by OpenCVE AI on June 29, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Bento4 library to version 1.8.9 or later to fix the stack overflow.
  • If a newer version is not immediately available, remove or disable the use of Bento4 in components that process untrusted MP4 files until a patch is deployed.
  • Add input validation or sandbox the MP4 processing routine so that malformed files cannot crash the process.

Generated by OpenCVE AI on June 29, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomatic
Axiomatic bento4
Vendors & Products Axiomatic
Axiomatic bento4

Mon, 29 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Stack Overflow in Bento4 MP4 Parsing Causing Denial of Service

Mon, 29 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Stack Overflow in Bento4 MP4 Parser Enables DoS
Weaknesses CWE-120

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Stack Overflow in Bento4 MP4 Parser Enables DoS
Weaknesses CWE-120

Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
References

Subscriptions

Axiomatic Bento4
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-29T13:00:01.511Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36908

cve-icon Vulnrichment

Updated: 2026-06-29T12:59:19.452Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:00:03Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow