CVE-2021-21848
HIGHGPAC 1.0.1 - Heap-Based Buffer Overflow via MPEG-4 stz2 Atom Parsing
Title source: llmDescription
An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The library will actually reuse the parser for atoms with the “stsz” FOURCC code when parsing atoms that use the “stz2” FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4966
Scores
CVSS v3
8.8
EPSS
0.0158
EPSS Percentile
72.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
CWE-680
Status
published
Products (3)
debian/debian_linux
10.0
debian/debian_linux
11.0
gpac/gpac
1.0.1
Published
Aug 25, 2021
Tracked Since
Feb 18, 2026