CVE-2021-40568

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-40568
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40568.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-40568
Downstream
Published
2022-01-13T18:15:07.977Z
Modified
2025-11-20T11:53:39.380025Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A buffer overflow vulnerability exists in Gpac through 1.0.1 via a malformed MP4 file in the svcparseslice function in av_parsers.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type
GIT
Repo
https://github.com/gpac/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f1ae01d745200a258cdf62622f71754c37cb6c30

Affected versions

v0.*

v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v0.9.0-preview

v1.*

v1.0.0
v1.0.1

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "target": {
            "file": "src/media_tools/av_parsers.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "271653455945834763208605817383398407567",
                "108141525076181077294603074563806756805",
                "190803646424172019847377105406717169819",
                "89477344314601249121963044820989003834",
                "290637595160814789406353695481930629703",
                "63844348439704388504248188721780055958",
                "77211956177004889184976754078166324125",
                "93252862727952819464823552247917341008",
                "210379992823712861008072287307593731924",
                "164007027648911898047628708525104472158",
                "33139317742673087143301621788696875760",
                "71975751562691156573789078052992987280",
                "242024803436346367085704818926588916010",
                "299823168141144608576117028597126088114",
                "236105253951310564318966436216071134934",
                "110357499185969270537647273652446008653",
                "305083598892664072296549753441583846912"
            ]
        },
        "id": "CVE-2021-40568-29ccc687",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/f1ae01d745200a258cdf62622f71754c37cb6c30",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "src/media_tools/av_parsers.c",
            "function": "svc_parse_slice"
        },
        "digest": {
            "length": 1785.0,
            "function_hash": "59411885416295801732352142629685711594"
        },
        "id": "CVE-2021-40568-48037a01",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/f1ae01d745200a258cdf62622f71754c37cb6c30",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "file": "src/media_tools/av_parsers.c",
            "function": "gf_bs_read_ue_log_idx3"
        },
        "digest": {
            "length": 761.0,
            "function_hash": "10749217417946529625503250407587877509"
        },
        "id": "CVE-2021-40568-e854a826",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/f1ae01d745200a258cdf62622f71754c37cb6c30",
        "signature_version": "v1"
    }
]