CVE-2018-14403

CRITICAL

MP4v2 <2.0.0 - Memory Corruption

Title source: llm

Description

MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of atom names, leading to use of an inappropriate data type for associated atoms. The resulting type confusion can cause out-of-bounds memory access.

References (5)

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2018/07/18/3

[Release Notes] https://github.com/enzo1982/mp4v2/releases/tag/v2.1.0

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6YCHVOYPIBGM5HYUMQ77KZH2IHSITKVE/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRSO2IMK6P7MOIZWGWKONPIEHKBA7WL3/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GISUIWPKBWPXORUFNWBGFTKQS7UUVUC4/

Scores

CVSS v3 9.8

EPSS 0.0045

EPSS Percentile 63.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-704

Status published

Products (1)

techsmith/mp4v2 2.0.0

Published Jul 19, 2018

Tracked Since Feb 18, 2026