CVE-2025-25944

CVE-2025-25944 is a buffer overflow vulnerability in Bento4 version 1.6.0-641, affecting the Ap4RtpAtom.cpp source file, specifically within the AP4_RtpAtom constructor. The issue arises when processing a crafted MP4 input file using the mp4fragment tool, leading to potential memory corruption. It is classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact but requiring local access and user interaction.

A local attacker with low privileges can exploit this vulnerability by supplying a maliciously crafted MP4 file and tricking a user into executing the mp4fragment tool on it. Successful exploitation allows arbitrary code execution in the context of the affected process, potentially granting the attacker high confidentiality, integrity, and availability impacts, such as data theft, modification, or denial of service.

The primary reference, a GitHub issue at https://github.com/axiomatic-systems/Bento4/issues/993, documents the vulnerability in the Bento4 repository, where further technical details and potential patches or workarounds may be discussed by the maintainers. Security practitioners should monitor this issue for official fixes and avoid processing untrusted MP4 files with affected Bento4 versions.