CVE-2022-47090 – This vulnerability is a buffer overflow in GPAC... (How to Fix)

📋 TL;DR

This vulnerability is a buffer overflow in GPAC MP4box's VVC video parser that occurs when processing specially crafted video files. Attackers could exploit this to execute arbitrary code or cause denial of service. Users who process untrusted video files with vulnerable GPAC versions are affected.

💻 Affected Systems

Products:

GPAC MP4box

Versions: 2.1-DEV-rev574-g9d5bb184b and earlier development versions

Operating Systems: All platforms running GPAC (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects GPAC when processing VVC (Versatile Video Coding) video streams

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise when processing malicious video files

🟠

Likely Case

Application crash (denial of service) when processing malformed video content

🟢

If Mitigated

Limited impact with proper input validation and sandboxing in place

🌐 Internet-Facing: MEDIUM - Requires processing attacker-controlled video files, which could occur through web uploads or media processing services

🏢 Internal Only: LOW - Typically requires local file access or specific media processing workflows

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting a malicious VVC video file and convincing a user to process it

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 48760768611f6766bf9e7378bb7cc66cebd6e49d

Vendor Advisory: https://github.com/gpac/gpac/issues/2341

Restart Required: No

Instructions:

1. Update GPAC to latest version from official repository
2. Rebuild from source if using custom builds
3. Replace binary installations with patched version

🔧 Temporary Workarounds

Disable VVC processing

all

Configure GPAC to avoid processing VVC video streams

Not applicable - requires code modification or configuration changes

🧯 If You Can't Patch

Restrict GPAC usage to trusted video files only
Run GPAC in sandboxed/containerized environment with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check GPAC version with 'MP4Box -version' and compare to affected versions

Check Version:

MP4Box -version

Verify Fix Applied:

Verify version is newer than commit 48760768611f6766bf9e7378bb7cc66cebd6e49d

📡 Detection & Monitoring

Log Indicators:

GPAC segmentation faults
Memory access violation errors in application logs

Network Indicators:

Unusual video file uploads to media processing services

SIEM Query:

Process:MP4Box AND (EventID:1000 OR ExceptionCode:c0000005)

📊 Metadata

CVE ID: CVE-2022-47090

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: January 24, 2025

Last Updated: January 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47090, you might also want to check these: