CVE-2021-21861 – CVE-2021-21861 is an integer truncation vulnera... (How to Fix)

Q: What is the severity of CVE-2021-21861?

CVE-2021-21861 has a CVSS score of 8.8 (HIGH). CVE-2021-21861 is an integer truncation vulnerability in GPAC's MPEG-4 decoder that allows heap-based buffer overflow via specially crafted video files. Attackers can exploit this by tricking users into opening malicious videos, potentially leading to arbitrary code execution. This affects applications using GPAC library version 1.0.1 for media processing.

📋 TL;DR

CVE-2021-21861 is an integer truncation vulnerability in GPAC's MPEG-4 decoder that allows heap-based buffer overflow via specially crafted video files. Attackers can exploit this by tricking users into opening malicious videos, potentially leading to arbitrary code execution. This affects applications using GPAC library version 1.0.1 for media processing.

💻 Affected Systems

Products:

GPAC Project on Advanced Content library

Versions: v1.0.1

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using GPAC library for MPEG-4 decoding is vulnerable when processing untrusted video files.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application processing the video, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption leading to unstable behavior.

🟢

If Mitigated

Application crash without code execution if memory protections (ASLR, DEP) are effective.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction to open malicious video file. Public proof-of-concept exists in Talos advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.1+ (patched versions available in downstream distributions)

Vendor Advisory: https://github.com/gpac/gpac/issues/1766

Restart Required: Yes

Instructions:

1. Update GPAC library to patched version from official repository or distribution channels. 2. Rebuild/redeploy applications using GPAC. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation

all

Implement strict validation of MPEG-4 file inputs before processing

Sandbox media processing

all

Isolate media processing components in restricted environments

🧯 If You Can't Patch

Block processing of untrusted MPEG-4 files
Implement application allowlisting to prevent unauthorized media players

🔍 How to Verify

Check if Vulnerable:

Check GPAC library version: gpac -version or examine linked library versions in applications

Check Version:

gpac -version 2>/dev/null | head -1

Verify Fix Applied:

Verify updated version is installed and applications are rebuilt with patched library

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected process termination during media processing

Network Indicators:

Downloads of suspicious video files from untrusted sources

SIEM Query:

Process:Name="*gpac*" OR Process:Name="*media*" AND EventID=1000 OR EventID=1001 (Windows) OR kernel:segfault (Linux)

📊 Metadata

CVE ID: CVE-2021-21861

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-680

Published: August 16, 2021

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298 Exploit,Third Party Advisory
https://www.debian.org/security/2021/dsa-4966 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298 Exploit,Third Party Advisory
https://www.debian.org/security/2021/dsa-4966 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21861, you might also want to check these: