CVE-2021-40570 – A double-free vulnerability in Gpac's MP4Box al... (How to Fix)

Q: What is the severity of CVE-2021-40570?

CVE-2021-40570 has a CVSS score of 7.8 (HIGH). A double-free vulnerability in Gpac's MP4Box allows attackers to cause denial of service or potentially execute arbitrary code. This affects systems running vulnerable versions of Gpac that process malicious MP4 files. The vulnerability can lead to application crashes or full system compromise.

📋 TL;DR

A double-free vulnerability in Gpac's MP4Box allows attackers to cause denial of service or potentially execute arbitrary code. This affects systems running vulnerable versions of Gpac that process malicious MP4 files. The vulnerability can lead to application crashes or full system compromise.

💻 Affected Systems

Products:

Gpac
MP4Box

Versions: Gpac 1.0.1 and possibly earlier versions

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using MP4Box to process MP4 files is vulnerable. The vulnerability is in the avc_compute_poc function in av_parsers.c.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, privilege escalation, and persistent access to affected systems.

🟠

Likely Case

Denial of service through application crashes when processing malicious MP4 files.

🟢

If Mitigated

Application crash without code execution if memory protections are enabled.

🌐 Internet-Facing: MEDIUM - Requires processing malicious MP4 files, which could be uploaded or served to vulnerable systems.

🏢 Internal Only: LOW - Typically requires local access or specific workflows involving MP4 processing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious MP4 file that triggers the double-free condition. Public GitHub issues demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 04dbf08bff4d61948bab80c3f9096ecc60c7f302 and later versions

Vendor Advisory: https://github.com/gpac/gpac/commit/04dbf08bff4d61948bab80c3f9096ecc60c7f302

Restart Required: Yes

Instructions:

1. Update Gpac to version containing commit 04dbf08bff4d61948bab80c3f9096ecc60c7f302 or later. 2. Rebuild from source if using custom builds. 3. Restart any services using MP4Box.

🔧 Temporary Workarounds

Disable MP4Box processing

linux

Temporarily disable or restrict MP4Box usage until patched

chmod -x /usr/bin/MP4Box
mv /usr/bin/MP4Box /usr/bin/MP4Box.disabled

Input validation

all

Implement strict validation of MP4 files before processing

🧯 If You Can't Patch

Implement strict access controls to limit who can submit MP4 files for processing
Deploy memory protection mechanisms like ASLR and DEP to reduce exploit success

🔍 How to Verify

Check if Vulnerable:

Check Gpac version: gpac -version or examine installed package version. Versions before commit 04dbf08bff4d61948bab80c3f9096ecc60c7f302 are vulnerable.

Check Version:

gpac -version 2>/dev/null | head -1 || dpkg -l | grep gpac || rpm -qa | grep gpac

Verify Fix Applied:

Verify Gpac version contains commit 04dbf08bff4d61948bab80c3f9096ecc60c7f302 or check package manager for updated version.

📡 Detection & Monitoring

Log Indicators:

MP4Box crash logs
segmentation fault errors in system logs
unexpected process termination

Network Indicators:

Unusual MP4 file uploads to processing systems
Multiple failed MP4 processing attempts

SIEM Query:

process_name="MP4Box" AND (event_type="crash" OR exit_code="139" OR exit_code="-11")

📊 Metadata

CVE ID: CVE-2021-40570

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-415

Published: January 13, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/gpac/gpac/commit/04dbf08bff4d61948bab80c3f9096ecc60c7f302 Patch,Third Party Advisory
https://github.com/gpac/gpac/issues/1899 Exploit,Issue Tracking,Third Party Advisory
https://www.debian.org/security/2023/dsa-5411
https://github.com/gpac/gpac/commit/04dbf08bff4d61948bab80c3f9096ecc60c7f302 Patch,Third Party Advisory
https://github.com/gpac/gpac/issues/1899 Exploit,Issue Tracking,Third Party Advisory
https://www.debian.org/security/2023/dsa-5411

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40570, you might also want to check these: