CRITICAL🇵🇱 Wersja polska

CVE-2023-46932

CVSS 9.8v3.1pub. 2023-12-09upd. 2025-05-27

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code and cause a denial of service (DoS) via str2ulong class in src/media_tools/avilib.c in gpac/MP4Box.

🤖 AI Analysis
How it works

The vulnerability exists in the str2ulong function in the file src/media_tools/avilib.c in the GPAC project. The error consists of improper handling of writes outside the allocated heap area (heap buffer overflow — CWE-787). An attacker can provide a specially crafted multimedia file, which when processed by MP4Box triggers a heap buffer overflow. The consequence can be overwriting critical memory structures, leading to arbitrary code execution or process destabilization.

Impact

An attacker can execute arbitrary code in the context of the process handling the file (RCE) or cause the application to crash and deny service (DoS). In case of successful exploitation, complete system takeover is possible — violation of confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to monitor the official GPAC GitHub repository (https://github.com/gpac/gpac) and update to a version containing the fix reported in issue #2669. Until an update is applied, avoid processing untrusted multimedia files with MP4Box and restrict access to the tool only to trusted users.

Who is affected

GPAC version 2.3-DEV-rev617-g671976fcc-master (MP4Box component, file src/media_tools/avilib.c)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gpac

    APP
    Gpac
    2.3-dev-rev617-g671976fcc-master
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoSMemory
CWE
References

Related vulnerabilities

CVE-2023-46427CRITICAL9.8PL ✓ten sam produkt

GPAC: null pointer dereference w gf_dash_setup_period umożliwia RCE i DoS

CVE-2024-0322CRITICAL9.1PL ✓ten sam produkt

Out-of-bounds Read w bibliotece GPAC — odczyt pamięci i awaria aplikacji

CVE-2024-0321CRITICAL9.8PL ✓ten sam produkt

Stack-based Buffer Overflow w GPAC — możliwe RCE bez uwierzytelnienia

CVE-2023-2840CRITICAL9.8ten sam produkt

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.

CVE-2023-2838CRITICAL9.1ten sam produkt

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.