Login Sign Up

CVE-2020-23928

7.1 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

CVE-2020-23928 is a heap-based buffer over-read vulnerability in GPAC's abst_box_read function that allows reading beyond allocated memory boundaries. This affects users of GPAC multimedia framework before version 1.0.1 who process malicious media files, potentially leading to information disclosure or application crashes.

💻 Affected Systems

Products:
  • GPAC Multimedia Framework
Versions: All versions before 1.0.1
Operating Systems: Linux, Windows, macOS, All platforms running GPAC
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing specially crafted media files containing Adobe-specific metadata boxes.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities, though buffer over-reads typically only allow information disclosure.

🟠

Likely Case

Application crash (denial of service) or information disclosure from heap memory, potentially exposing sensitive data.

🟢

If Mitigated

Limited impact with proper memory protections (ASLR, DEP) and sandboxing, likely resulting only in application crashes.

🌐 Internet-Facing: MEDIUM - Exploitation requires processing malicious media files, which could be delivered via web applications or media servers.
🏢 Internal Only: LOW - Requires user interaction to open malicious files or processing by automated systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof-of-concept exists in GitHub issues. Exploitation requires crafting malicious media files that trigger the buffer over-read.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 and later

Vendor Advisory: https://github.com/gpac/gpac/commit/8e05648d6b4459facbc783025c5c42d301fef5c3

Restart Required: Yes

Instructions:

1. Update GPAC to version 1.0.1 or later. 2. Recompile if using source. 3. Restart any services using GPAC.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for media files before processing with GPAC

Sandbox Execution

linux

Run GPAC in a sandboxed environment with limited permissions

firejail --net=none gpac
bubblewrap --unshare-all --new-session gpac

🧯 If You Can't Patch

  • Implement network segmentation to isolate GPAC instances
  • Deploy application allowlisting to prevent execution of unauthorized GPAC processes

🔍 How to Verify

Check if Vulnerable:

Check GPAC version: gpac -version. If version is below 1.0.1, system is vulnerable.

Check Version:

gpac -version

Verify Fix Applied:

Verify GPAC version is 1.0.1 or higher: gpac -version | grep -q '1\.0\.[1-9]\|1\.[1-9]\|2\.'

📡 Detection & Monitoring

Log Indicators:

  • GPAC segmentation faults
  • Abnormal memory access errors in system logs
  • Unexpected GPAC process termination

Network Indicators:

  • Unusual media file uploads to systems using GPAC
  • Multiple failed processing attempts

SIEM Query:

process_name:gpac AND (event_type:crash OR memory_violation)

📊 Metadata

CVE ID: CVE-2020-23928
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: April 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23928, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)