Login Sign Up

CVE-2023-29584

8.8 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

CVE-2023-29584 is a heap buffer overflow vulnerability in mp4v2 library's MP4GetVideoProfileLevel function. Attackers can exploit this to execute arbitrary code or cause denial of service by providing specially crafted MP4 files. This affects any application or system using mp4v2 v2.0.0 for MP4 file processing.

💻 Affected Systems

Products:
  • mp4v2
Versions: v2.0.0
Operating Systems: All platforms where mp4v2 is used (Linux, Windows, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or service that uses the vulnerable mp4v2 library to process MP4 files is affected, regardless of operating system.

📦 What is this software?

Mp4v2 by Mp4v2 Project

View all CVEs affecting Mp4v2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application using mp4v2, potentially leading to complete system compromise.

🟠

Likely Case

Application crash (denial of service) when processing malicious MP4 files, potentially disrupting media processing services.

🟢

If Mitigated

Contained application crash with minimal impact if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: HIGH if the application processes user-uploaded MP4 files from untrusted sources.
🏢 Internal Only: MEDIUM if MP4 files are processed from internal sources only, but could still be exploited via malicious internal files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept demonstrates heap buffer overflow via specially crafted MP4 files. Exploitation requires the application to process a malicious file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.1.0 or later

Vendor Advisory: https://github.com/enzo1982/mp4v2/issues/30

Restart Required: Yes

Instructions:

1. Update mp4v2 to version 2.1.0 or later. 2. Rebuild any applications that statically link mp4v2. 3. Restart services using mp4v2.

🔧 Temporary Workarounds

Disable MP4 file processing

all

Temporarily disable MP4 file processing in affected applications until patched.

Input validation for MP4 files

all

Implement strict validation of MP4 files before processing, rejecting malformed files.

🧯 If You Can't Patch

  • Implement strict file upload controls and sandbox MP4 processing in isolated containers with minimal privileges.
  • Deploy runtime protection solutions (ASLR, DEP, stack canaries) and monitor for crash events related to mp4v2.

🔍 How to Verify

Check if Vulnerable:

Check if mp4v2 version 2.0.0 is installed: 'mp4info --version' or check library version in application dependencies.

Check Version:

mp4info --version

Verify Fix Applied:

Verify mp4v2 version is 2.1.0 or later: 'mp4info --version' should show 2.1.0+.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or segmentation faults when processing MP4 files
  • Memory corruption errors in application logs

Network Indicators:

  • Unusual MP4 file uploads to media processing services
  • Large number of failed MP4 processing requests

SIEM Query:

source="application.log" AND ("segmentation fault" OR "heap corruption" OR "buffer overflow") AND process="*mp4*"

📊 Metadata

CVE ID: CVE-2023-29584
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 14, 2023
Last Updated: February 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29584, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)