Primary

Context

Axiomatic Bento4 Heap-Based Buffer Overflow Vulnerability in mp42aac Component

Vulnerability

A critical heap-based buffer overflow vulnerability has been identified in Axiomatic Bento4 versions through 1.6.0. The issue arises in the mp42aac component, specifically within the AP4_BitReader::ReadBits function. This vulnerability can be exploited remotely, leading to memory corruption by allowing attackers to manipulate heap memory beyond allocated boundaries.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by compiling Bento4 with AddressSanitizer enabled, using Clang as the compiler. After building the application, the mp42aac tool can be used to process a crafted input file that triggers the buffer overflow. This input file can be generated using a fuzzer, such as AFL, and should be specified when running the mp42aac tool.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Axiomatic Bento4 Heap-Based Buffer Overflow Vulnerability in mp42aac Component

Vulnerability

Impact

Reproduction

Affected Products

Axiomatic Bento4

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating