CVE-2022-47090

CVE-2022-47090 is a buffer overflow vulnerability affecting GPAC MP4Box version 2.1-DEV-rev574-g9d5bb184b. The flaw occurs in the gf_vvc_read_pps_bs_internal function within media_tools/av_parsers.c, where a missing check for num_exp_tile_columns allows the overflow. It is categorized under CWE-120 (Buffer Copy without Checking Size of Input) and received a CVSS v3.1 base score of 7.8.

The vulnerability can be exploited by a local attacker requiring low complexity and no privileges, though user interaction is necessary, such as processing a specially crafted file with MP4Box. Successful exploitation enables high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data disclosure, or system disruption within the local scope.

A patch is available via a commit in the GPAC GitHub repository at https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d, which addresses the missing check. Additional details on the issue are documented in https://github.com/gpac/gpac/issues/2341. Practitioners should apply the patch or use an updated GPAC version to mitigate the risk.