Login Sign Up

CVE-2021-21859

8.8 HIGH

📋 TL;DR

An integer truncation vulnerability in GPAC's MPEG-4 decoder allows memory corruption when processing specially crafted video files. Attackers can exploit this by tricking users into opening malicious videos, potentially leading to arbitrary code execution. This affects applications using the GPAC library for video processing.

💻 Affected Systems

Products:
  • GPAC Project on Advanced Content library
  • Applications using GPAC for MPEG-4 decoding
Versions: v1.0.1 and earlier
Operating Systems: All platforms where GPAC is used (Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using GPAC's MPEG-4 decoding functionality is vulnerable when processing untrusted video files.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application using GPAC library, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or limited code execution depending on exploit sophistication and memory protections.

🟢

If Mitigated

Application crash with no code execution if ASLR/DEP/other mitigations are effective.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious video, but common in media processing applications.
🏢 Internal Only: LOW - Still requires user interaction with malicious content.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploit requires crafting malicious MPEG-4 video file and convincing user to open it. Proof-of-concept available in Talos advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.2 or later

Vendor Advisory: https://github.com/gpac/gpac/security/advisories

Restart Required: Yes

Instructions:

1. Update GPAC library to v1.0.2 or later. 2. Rebuild applications using GPAC. 3. Restart affected applications/services.

🔧 Temporary Workarounds

Disable MPEG-4 processing

all

Configure applications to disable MPEG-4 video processing if not required

Sandbox media processing

linux

Run media processing applications in restricted containers/sandboxes

docker run --security-opt=no-new-privileges --read-only -v /tmp:/tmp:rw media_app

🧯 If You Can't Patch

  • Implement strict input validation for video files from untrusted sources
  • Use application allowlisting to prevent execution of unauthorized media processing tools

🔍 How to Verify

Check if Vulnerable:

Check GPAC library version: gpac -version or check linked library version in applications

Check Version:

gpac -version 2>/dev/null | head -1

Verify Fix Applied:

Confirm GPAC version is 1.0.2 or higher and applications have been rebuilt with updated library

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing video files
  • Memory access violation errors in application logs

Network Indicators:

  • Unusual video file downloads from untrusted sources

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "access violation") AND process="*gpac*"

📊 Metadata

CVE ID: CVE-2021-21859
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-680
Published: August 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21859, you might also want to check these:

CVE-2020-13576 9.8

A remote code execution vulnerability exists in the WS-Addressing plugin of Genivia gSOAP 2.8.107. A...

Same vulnerability type (CWE-680)
CVE-2021-21783 9.8

This vulnerability allows remote code execution in Genivia gSOAP's WS-Addressing plugin. Attackers c...

Same vulnerability type (CWE-680)
CVE-2024-33078 9.8

CVE-2024-33078 is a critical buffer overflow vulnerability in Tencent Libpag v4.3 that allows remote...

Same vulnerability type (CWE-680)