Login Sign Up

CVE-2022-30976

7.1 HIGH

📋 TL;DR

CVE-2022-30976 is a heap-based buffer over-read vulnerability in GPAC's Unicode handling function. Attackers can exploit this by crafting malicious MP4 files to cause memory corruption, potentially leading to information disclosure or denial of service. Users of GPAC 2.0.0 and MP4Box are affected.

💻 Affected Systems

Products:
  • GPAC
  • MP4Box
Versions: GPAC 2.0.0 specifically
Operating Systems: Linux, Windows, macOS, All platforms running GPAC
Default Config Vulnerable: ⚠️ Yes
Notes: Any system using the vulnerable utf8_wcslen function in GPAC's utils/utf.c is affected.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this requires specific memory layout conditions.

🟠

Likely Case

Application crash (denial of service) or information disclosure from heap memory.

🟢

If Mitigated

Application crash with no further impact if memory protections are enabled.

🌐 Internet-Facing: MEDIUM - Requires processing malicious files, but MP4Box is commonly used for media processing.
🏢 Internal Only: MEDIUM - Similar risk profile, but limited to internal users processing files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious MP4 files. The GitHub issue shows proof-of-concept discussion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GPAC 2.1.0 or later

Vendor Advisory: https://github.com/gpac/gpac/issues/2179

Restart Required: Yes

Instructions:

1. Update GPAC to version 2.1.0 or later. 2. Recompile from source if using custom builds. 3. Restart any services using GPAC/MP4Box.

🔧 Temporary Workarounds

Disable MP4Box processing

linux

Temporarily disable or restrict MP4Box usage until patching.

sudo systemctl stop mp4box-service
sudo chmod 000 /usr/bin/MP4Box

Input validation

all

Implement strict validation of MP4 files before processing.

🧯 If You Can't Patch

  • Implement network segmentation to isolate GPAC systems
  • Use application allowlisting to prevent unauthorized GPAC execution

🔍 How to Verify

Check if Vulnerable:

Check GPAC version: gpac -version or MP4Box -version. If output shows 2.0.0, system is vulnerable.

Check Version:

gpac -version 2>&1 | head -1

Verify Fix Applied:

After update, verify version shows 2.1.0 or later. Test with known malicious MP4 files to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

  • GPAC/MP4Box segmentation faults
  • Memory access violation errors in system logs
  • Unexpected process termination

Network Indicators:

  • Unusual MP4 file transfers to GPAC systems
  • Multiple failed processing attempts

SIEM Query:

process_name:"MP4Box" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2022-30976
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: May 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30976, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)