Home > Vulnerability Database > CVE-2021-21848

Mend.io Vulnerability Database

CVE-2021-21848

Date: August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The library will actually reuse the parser for atoms with the “stsz” FOURCC code when parsing atoms that use the “stz2” FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Language: C

Severity Score

8.8

Related Resources (7)

Url: https://github.com/gpac/gpac/commit/b515fd04f5f00f4a99df741042f1efb31ad56351

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-21848

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-21848

Url: https://www.debian.org/security/2021/dsa-4966

Url: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297

Url: https://security-tracker.debian.org/tracker/CVE-2021-21848

Url: https://www.mend.io/vulnerability-database/CVE-2021-21848

Severity Score

8.8

Weakness Type (CWE)

Buffer Errors

CWE-119

Integer Overflow or Wraparound

CWE-190

Integer Overflow to Buffer Overflow

CWE-680

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-21848

Date: August 25, 2021

Language: C

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?