NIXPKGS-2026-0912

GitHub issue published on

Permalink CVE-2026-5235

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

updated 1 week ago by @LeSuisse Activity log

Created automatic suggestion 1 week ago
@LeSuisse accepted 1 week ago
@LeSuisse published on GitHub 1 week ago

Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow

A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation causes heap-based buffer overflow. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-354386 | Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow vdb-entrytechnical-description
VDB-354386 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #780472 | Bento4 <=1.6.0-641 Memory Corruption third-party-advisory
https://github.com/axiomatic-systems/Bento4/issues/1058 issue-tracking
https://github.com/axiomatic-systems/Bento4/issues/1058#issue-4078583078 issue-trackingexploit

Affected products

Bento4

==1.6.0-641

Matching in nixpkgs

pkgs.bento4

Full-featured MP4 format and MPEG DASH library and tools

nixos-unstable 1.6.0-641
- nixpkgs-unstable 1.6.0-641
- nixos-unstable-small 1.6.0-641
nixos-25.11 1.6.0-641
- nixos-25.11-small 1.6.0-641
- nixpkgs-25.11-darwin 1.6.0-641

Package maintainers

@makefu Felix Richter <makefu@syntax-fehler.de>

Unpatched
Upstream issue: https://github.com/axiomatic-systems/Bento4/issues/1058

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0912

References

Affected products

Matching in nixpkgs

pkgs.bento4

Package maintainers