CVE-2024-24267 in GPACinfo

Summary

by MITRE • 02/05/2024

gpac v2.2.1 was discovered to contain a memory leak via the gfio_blob variable in the gf_fileio_from_blob function.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 09/15/2025

The vulnerability identified as CVE-2024-24267 affects the gpac multimedia framework version 2.2.1, specifically within the gf_fileio_from_blob function where a memory leak occurs through the gfio_blob variable. This memory leak represents a critical security flaw that can lead to resource exhaustion and system instability when the affected software processes multimedia content. The vulnerability manifests when the application fails to properly manage memory allocation and deallocation during file input/output operations, particularly when handling blob data structures. The gpac framework is widely used for multimedia processing and playback, making this vulnerability potentially impactful across various applications that rely on its core functionality.

The technical flaw stems from improper memory management within the gf_fileio_from_blob function where the gfio_blob variable is not correctly freed or released after use. This type of memory leak falls under CWE-401: Improper Release of Memory Before Removal from Pool, which is classified as a memory management error that can lead to progressive resource consumption. The vulnerability occurs during the processing of multimedia files where the application allocates memory for blob data structures but fails to properly clean up these allocations, resulting in memory that remains allocated even after the data is no longer needed. This issue is particularly concerning because it can be exploited through repeated processing of multimedia content, leading to gradual memory exhaustion that may cause application crashes or system instability.

The operational impact of this vulnerability extends beyond simple resource consumption, as it can be leveraged to cause denial of service conditions in applications that depend on gpac for multimedia processing. Attackers could potentially exploit this memory leak by submitting multiple multimedia files or by repeatedly processing the same content, causing progressive memory consumption that eventually leads to application termination or system resource depletion. The vulnerability affects systems where gpac is integrated as a core component, including multimedia players, content delivery platforms, and streaming applications. According to ATT&CK framework category T1499.004, this vulnerability could be categorized under "Resource Exhaustion" techniques, where adversaries consume system resources to prevent normal operations.

Mitigation strategies should focus on immediate code-level fixes that ensure proper memory deallocation and implement robust error handling within the gf_fileio_from_blob function. The recommended approach involves adding proper cleanup routines for the gfio_blob variable and implementing memory management checks that validate allocation and deallocation sequences. System administrators should prioritize updating to gpac versions that address this vulnerability, as the memory leak can be exploited through legitimate application usage patterns without requiring special privileges or complex attack vectors. Additionally, monitoring systems should be implemented to detect unusual memory consumption patterns that may indicate exploitation attempts. Organizations should also consider implementing application sandboxing and resource limits to prevent the memory leak from causing system-wide impact, while regular security assessments should verify that similar memory management issues have been addressed throughout the codebase.

Reservation

01/25/2024

Disclosure

02/05/2024

Moderation

accepted

CPE

ready

EPSS

0.01635

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!