CVE-2024-24265 in GPAC
Summary
by MITRE • 02/05/2024
gpac v2.2.1 was discovered to contain a memory leak via the dst_props variable in the gf_filter_pid_merge_properties_internal function.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/10/2025
The vulnerability identified as CVE-2024-24265 affects the gpac multimedia framework version 2.2.1, specifically within the gf_filter_pid_merge_properties_internal function where a memory leak occurs through the dst_props variable. This memory leak represents a critical security concern that can lead to resource exhaustion and system instability. The gpac framework is widely used for multimedia processing and streaming applications, making this vulnerability particularly significant for systems relying on its functionality. The flaw manifests when the function processes property merging operations, where memory allocated to the dst_props variable is not properly deallocated, creating a persistent memory consumption issue.
The technical nature of this vulnerability stems from improper memory management within the multimedia processing pipeline of gpac. When the gf_filter_pid_merge_properties_internal function executes, it handles the merging of properties from different data streams or processing nodes. The dst_props variable accumulates memory resources during this operation but fails to release them back to the system upon completion. This memory leak behavior follows patterns commonly associated with CWE-401, which specifically addresses improper management of memory allocation and deallocation. The vulnerability creates a gradual consumption of available memory resources, potentially leading to denial of service conditions when the system runs for extended periods or processes large volumes of multimedia content.
The operational impact of this memory leak vulnerability extends beyond simple resource consumption, as it can compromise system stability and availability for multimedia applications. Systems utilizing gpac for video streaming, audio processing, or multimedia content delivery may experience progressive performance degradation, increased latency, or complete service interruption when the memory leak accumulates to critical levels. Attackers could potentially exploit this vulnerability by continuously triggering the affected function through crafted multimedia content or processing workflows, accelerating the memory consumption process. This behavior aligns with ATT&CK technique T1499.004, which covers resource exhaustion attacks targeting system memory through improper resource management.
Mitigation strategies for CVE-2024-24265 should prioritize immediate patching of the gpac framework to version 2.2.2 or later, which contains the fix for the memory leak in the dst_props variable. Organizations should implement monitoring systems to track memory consumption patterns in gpac-dependent applications, enabling early detection of potential exploitation attempts. Process isolation and resource limiting measures can help contain the impact of memory leaks by preventing a single process from consuming excessive system resources. Additionally, regular security assessments of multimedia processing pipelines should include memory management checks to identify similar vulnerabilities in other components of the multimedia framework. The fix implemented in subsequent versions addresses the root cause by ensuring proper deallocation of memory resources associated with the dst_props variable, thereby preventing the accumulation of unreleased memory blocks that characterize this vulnerability.