Login Sign Up

CVE-2023-48014

7.8 HIGH

📋 TL;DR

This CVE describes a stack overflow vulnerability in GPAC's HEVC video parser that could allow remote code execution. Attackers could exploit this by crafting malicious HEVC video files. Users and applications processing untrusted HEVC video content with vulnerable GPAC versions are affected.

💻 Affected Systems

Products:
  • GPAC (Multimedia Framework)
Versions: GPAC v2.3-DEV-rev566-g50c2ab06f-master and earlier development versions
Operating Systems: All platforms running GPAC
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects GPAC when processing HEVC/H.265 video content. Stable releases may not be affected, but development versions are vulnerable.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the GPAC process, potentially leading to complete system compromise.

🟠

Likely Case

Application crash (denial of service) when processing malicious HEVC content.

🟢

If Mitigated

No impact if patched version is used or if untrusted HEVC content is not processed.

🌐 Internet-Facing: MEDIUM - Applications processing user-uploaded video content could be exploited remotely.
🏢 Internal Only: LOW - Requires processing of malicious HEVC files, which is less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious HEVC video files. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 66abf0887c89c29a484d9e65e70882794e9e3a1b

Vendor Advisory: https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b

Restart Required: Yes

Instructions:

1. Update GPAC to latest version from official repository. 2. Rebuild from source if using development version. 3. Restart any applications using GPAC libraries.

🔧 Temporary Workarounds

Disable HEVC Processing

all

Configure applications to not process HEVC/H.265 video content

Input Validation

all

Implement strict validation of HEVC video files before processing

🧯 If You Can't Patch

  • Isolate GPAC applications in restricted environments with minimal privileges
  • Implement network segmentation to limit exposure of video processing services

🔍 How to Verify

Check if Vulnerable:

Check GPAC version and compare against vulnerable development versions. Use 'gpac -version' or check build commit hash.

Check Version:

gpac -version 2>/dev/null || gpac --version 2>/dev/null || strings $(which gpac) 2>/dev/null | grep -i version

Verify Fix Applied:

Verify GPAC version includes commit 66abf0887c89c29a484d9e65e70882794e9e3a1b or later.

📡 Detection & Monitoring

Log Indicators:

  • GPAC process crashes
  • Segmentation faults in media processing
  • Abnormal termination of video processing applications

Network Indicators:

  • Unusual HEVC file uploads to media processing services
  • Multiple failed video processing attempts

SIEM Query:

process.name:"gpac" AND event.action:"crash" OR process.name:"gpac" AND event.outcome:"failure"

📊 Metadata

CVE ID: CVE-2023-48014
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: November 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48014, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)