CVE-2024-57509

High

Published: 29 January 2025

Published

29 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 37.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Buffer Overflow vulnerability in Bento4 mp42avc v.3bdc891602d19789b8e8626e4a3e613a937b4d35 allows a local attacker to execute arbitrary code via the AP4_File::ParseStream and related functions.

Security Summary

CVE-2024-57509 is a buffer overflow vulnerability (CWE-120) in the Bento4 mp42avc tool at commit 3bdc891602d19789b8e8626e4a3e613a937b4d35. The issue resides in the AP4_File::ParseStream and related functions, earning a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It was published on 2025-01-29.

A local attacker with low privileges can exploit this vulnerability without user interaction by providing malicious input to the affected mp42avc functions, leading to arbitrary code execution on the target system.

Mitigation details are available in the Bento4 GitHub issue (https://github.com/axiomatic-systems/Bento4/issues/989) and a related proof-of-concept gist (https://gist.github.com/G2FUZZ/91a1cc3b8f2b0720e984353d59023b24).

Details

CWE(s): CWE-120

References

https://gist.github.com/G2FUZZ/91a1cc3b8f2b0720e984353d59023b24
cve@mitre.org
https://github.com/axiomatic-systems/Bento4/issues/989
cve@mitre.org