Skip to main content

Bento4 EUVDEUVD-2026-17725

| CVE-2026-5235 LOW
Heap-based Buffer Overflow (CWE-122)
2026-03-31 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
4.8 (MEDIUM) 1.9 (LOW)
PoC Detected
Apr 01, 2026 - 14:23 vuln.today
Public exploit code
EUVD ID Assigned
Mar 31, 2026 - 22:32 euvd
EUVD-2026-17725
Analysis Generated
Mar 31, 2026 - 22:32 vuln.today
CVE Published
Mar 31, 2026 - 22:15 nvd
MEDIUM 4.8

DescriptionCVE.org

A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation causes heap-based buffer overflow. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Heap-based buffer overflow in Axiomatic Bento4 up to version 1.6.0-641 affects the AP4_BitReader::ReadCache function in the MP4 file parser component, allowing local attackers with limited privileges to cause information disclosure, integrity violation, and denial of service. Publicly available exploit code exists, and the vendor has not yet responded to the early disclosure despite project notification through GitHub issue tracking.

Technical ContextAI

The vulnerability resides in the MP4 file parser component of Bento4, specifically in the Ap4Dac4Atom.cpp file's AP4_BitReader::ReadCache function. This represents a classic heap-based buffer overflow (CWE-122: Heap-based Buffer Overflow), where improper bounds checking during bitstream reading operations allows writing beyond allocated heap memory. Bento4 is a C++ library for reading and writing digital media files in the ISOM/MP4 format, commonly used in multimedia processing pipelines. The affected CPE range (cpe:2.3:a:axiomatic:bento4:*:*:*:*:*:*:*:*) indicates all versions up to 1.6.0-641 are vulnerable to this memory safety violation.

RemediationAI

Upgrade Axiomatic Bento4 to a version newer than 1.6.0-641 once the vendor releases a patched version; no vendor-released patch has been independently confirmed at time of analysis. As an interim mitigation, restrict access to Bento4 processing functions to trusted sources only, avoid processing untrusted MP4 files with vulnerable versions, and consider sandboxing or containerizing Bento4 usage to limit the blast radius of potential heap corruption. Monitor the official GitHub repository (https://github.com/axiomatic-systems/Bento4/issues/1058) and VulDB (https://vuldb.com/vuln/354386) for vendor response and patch availability.

More in Bento4

View all
CVE-2024-31004 CRITICAL POC
9.8 Apr 02

An issue in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the Ap4StsdAtom.cpp,AP4_Stsd

CVE-2024-31002 CRITICAL POC
9.8 Apr 02

Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4

CVE-2018-14531 CRITICAL POC
9.8 Jul 23

An issue was discovered in Bento4 1.5.1-624. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2017-14639 HIGH POC
8.8 Sep 21

AP4_VisualSampleEntry::ReadFields in Core/Ap4SampleEntry.cpp in Bento4 1.5.0-617 uses incorrect character data types, wh

CVE-2017-14644 HIGH POC
8.8 Sep 21

A heap-based buffer overflow was discovered in the AP4_HdlrAtom class in Bento4 1.5.0-617. Rated high severity (CVSS 8.8

CVE-2024-31003 HIGH POC
8.8 Apr 02

Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4

CVE-2022-4584 HIGH POC
8.8 Dec 17

A vulnerability was found in Axiomatic Bento4 up to 1.6.0-639. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2022-3974 HIGH POC
8.8 Nov 13

A vulnerability classified as critical was found in Axiomatic Bento4. Rated high severity (CVSS 8.8), this vulnerability

CVE-2022-41430 HIGH POC
8.8 Oct 03

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBit function in mp4mux. Rated hig

CVE-2022-41429 HIGH POC
8.8 Oct 03

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_Atom::TypeFromString function in mp4tag. Rated h

CVE-2022-41428 HIGH POC
8.8 Oct 03

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBits function in mp4mux. Rated hi

CVE-2021-32265 HIGH POC
8.8 Sep 20

An issue was discovered in Bento4 through v1.6.0-637. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

Share

EUVD-2026-17725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy