Nixpkgs security tracker

Untriaged

Permalink CVE-2026-5235

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 weeks, 3 days ago

Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow

A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation causes heap-based buffer overflow. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-354386 | Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow vdb-entrytechnical-description
VDB-354386 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #780472 | Bento4 <=1.6.0-641 Memory Corruption third-party-advisory
https://github.com/axiomatic-systems/Bento4/issues/1058 issue-tracking
https://github.com/axiomatic-systems/Bento4/issues/1058#issue-4078583078 exploitissue-tracking

Affected products

Bento4

==1.6.0-641

Matching in nixpkgs

pkgs.bento4

Full-featured MP4 format and MPEG DASH library and tools

nixos-unstable 1.6.0-641
- nixpkgs-unstable 1.6.0-641
- nixos-unstable-small 1.6.0-641
nixos-25.11 1.6.0-641
- nixos-25.11-small 1.6.0-641
- nixpkgs-25.11-darwin 1.6.0-641

Package maintainers

@makefu Felix Richter <makefu@syntax-fehler.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.bento4

Package maintainers