CVE-2024-50664

HighPublic PoC

Published: 23 January 2025

Published

23 January 2025

Modified

11 February 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0009 24.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

gpac 2.4 contains a heap-buffer-overflow at isomedia/sample_descs.c:1799 in gf_isom_new_mpha_description in gpac/MP4Box.

Security Summary

CVE-2024-50664 is a heap buffer overflow vulnerability in GPAC version 2.4, an open-source multimedia framework. The flaw is located at isomedia/sample_descs.c:1799 in the function gf_isom_new_mpha_description within the gpac/MP4Box component. It is associated with CWE-787 (Out-of-bounds Write) and CWE-120 (Buffer Copy without Checking Size of Input).

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A local attacker with no privileges can exploit it by tricking a user into processing a malicious file with MP4Box, requiring user interaction. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and denial of service through potential arbitrary code execution.

Mitigation details and patches are discussed in the GitHub issue at https://github.com/gpac/gpac/issues/2988. Security practitioners should monitor this repository for updates and apply fixes promptly when available.

Details

CWE(s): CWE-787CWE-120

Affected Products

gpac

2.4

References

https://github.com/gpac/gpac/issues/2988
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org
https://github.com/gpac/gpac/issues/2988
Exploit, Issue Tracking, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0