Login Sign Up

CVE-2021-31254

7.8 HIGH
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

CVE-2021-31254 is a buffer overflow vulnerability in GPAC's MP4Box tool that allows attackers to cause denial of service or execute arbitrary code by providing a specially crafted MP4 file with invalid IV sizes. This affects systems running vulnerable versions of GPAC that process untrusted media files. The vulnerability is particularly dangerous for media processing servers and applications that use GPAC libraries.

💻 Affected Systems

Products:
  • GPAC
  • MP4Box
Versions: GPAC 1.0.1 and earlier versions
Operating Systems: All platforms running GPAC (Linux, Windows, macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using GPAC libraries to process MP4 files is vulnerable. The tenc_box_read function is called during MP4 file parsing.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the GPAC process, potentially leading to full system compromise.

🟠

Likely Case

Denial of service through application crashes when processing malicious media files.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM - Exploitation requires file upload/processing capability, but many media servers are internet-facing.
🏢 Internal Only: LOW - Requires user interaction or automated processing of malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires providing a malicious MP4 file to the vulnerable application. The GitHub issues show proof-of-concept discussions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GPAC versions after commit 8986422c21fbd9a7bf6561cae65aae42077447e8

Vendor Advisory: https://github.com/gpac/gpac/commit/8986422c21fbd9a7bf6561cae65aae42077447e8

Restart Required: Yes

Instructions:

1. Update GPAC to latest version. 2. Rebuild applications using GPAC libraries. 3. Restart affected services.

🔧 Temporary Workarounds

Disable MP4 processing

all

Temporarily disable MP4 file processing in applications using GPAC

Input validation

all

Implement strict file type validation before passing to GPAC

🧯 If You Can't Patch

  • Implement network segmentation to isolate GPAC processing systems
  • Use application sandboxing/containerization to limit exploit impact

🔍 How to Verify

Check if Vulnerable:

Check GPAC version with 'MP4Box -version' or 'gpac -version'. If version is 1.0.1 or earlier, system is vulnerable.

Check Version:

MP4Box -version 2>&1 | head -1

Verify Fix Applied:

Verify GPAC version is newer than commit 8986422c21fbd9a7bf6561cae65aae42077447e8. Test with known malicious MP4 files.

📡 Detection & Monitoring

Log Indicators:

  • GPAC/MP4Box crash logs
  • Segmentation fault errors in system logs
  • Abnormal process termination

Network Indicators:

  • Unusual MP4 file uploads to media processing endpoints
  • Large number of failed media processing requests

SIEM Query:

process_name:"MP4Box" AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2021-31254
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31254, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)