CVE-2021-45266 – A null pointer dereference vulnerability in gpa... (How to Fix)

Q: What is the severity of CVE-2021-45266?

CVE-2021-45266 has a CVSS score of 7.5 (HIGH). A null pointer dereference vulnerability in gpac 1.1.0 allows attackers to cause a segmentation fault and crash the application by exploiting the lsr_read_anim_values_ex function. This affects systems running vulnerable versions of gpac multimedia framework. The crash could lead to denial of service for applications using gpac.

📋 TL;DR

A null pointer dereference vulnerability in gpac 1.1.0 allows attackers to cause a segmentation fault and crash the application by exploiting the lsr_read_anim_values_ex function. This affects systems running vulnerable versions of gpac multimedia framework. The crash could lead to denial of service for applications using gpac.

💻 Affected Systems

Products:

gpac

Versions: 1.1.0

Operating Systems: All platforms running gpac

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using gpac to process media files is potentially vulnerable.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for applications relying on gpac, potentially disrupting media processing services or causing system instability.

🟠

Likely Case

Application crash when processing specially crafted media files, leading to service disruption.

🟢

If Mitigated

Minimal impact with proper input validation and crash recovery mechanisms in place.

🌐 Internet-Facing: MEDIUM - Exploitable if gpac processes untrusted media files from external sources.

🏢 Internal Only: LOW - Requires processing of malicious media files, which is less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires feeding a specially crafted media file to gpac. The GitHub issue contains technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in gpac 1.1.0-DEV and later versions

Vendor Advisory: https://github.com/gpac/gpac/issues/1985

Restart Required: Yes

Instructions:

1. Update gpac to version 1.1.0-DEV or later. 2. Rebuild any applications using gpac. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation

all

Implement strict input validation for media files processed by gpac

Process isolation

linux

Run gpac in isolated containers or sandboxes to limit crash impact

docker run --security-opt=no-new-privileges -it gpac

🧯 If You Can't Patch

Implement crash monitoring and automatic restart for gpac processes
Restrict gpac to process only trusted media files from verified sources

🔍 How to Verify

Check if Vulnerable:

Check gpac version: gpac -version. If output shows 1.1.0, system is vulnerable.

Check Version:

gpac -version

Verify Fix Applied:

Update gpac and verify version is 1.1.0-DEV or later. Test with known malicious media files.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in system logs
gpac process crashes
Core dumps from gpac

Network Indicators:

Unusual media file uploads to systems using gpac

SIEM Query:

process.name:gpac AND event.type:crash

📊 Metadata

CVE ID: CVE-2021-45266

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: December 22, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/gpac/gpac/issues/1985 Exploit,Issue Tracking,Third Party Advisory
https://github.com/gpac/gpac/issues/1985 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45266, you might also want to check these: