{"id":"CVE-2021-31258","details":"The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.","modified":"2026-04-11T17:12:26.410631Z","published":"2021-04-19T19:15:18.327Z","references":[{"type":"FIX","url":"https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e"},{"type":"EVIDENCE","url":"https://github.com/gpac/gpac/issues/1706"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"last_affected":"d8538e8ae946b32d99c6b2c57cbb327146e9cd9d"},{"fixed":"ebfa346eff05049718f7b80041093b4c5581c24e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.1"}]}}],"versions":["v0.5.2","v0.6.0","v0.7.0","v0.7.1","v0.9.0","v0.9.0-preview","v1.0.0","v1.0.1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"file":"src/isomedia/isom_read.c"},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e","id":"CVE-2021-31258-3ba70ab4","digest":{"line_hashes":["270617900074585397401484796233809869972","266556905381068162363874736581927080072","128247643108269553959618366844869920155","151002184077632499010279979493437122930"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"file":"src/media_tools/isom_hinter.c"},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e","id":"CVE-2021-31258-802802f4","digest":{"line_hashes":["259652571069950963945971642835717277815","215728378582260301418390893771053441032","309570343603242213718214264290582359552","158326549550549045648789173518921490312"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"gf_isom_guess_specification","file":"src/isomedia/isom_read.c"},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e","id":"CVE-2021-31258-98bde890","digest":{"function_hash":"201795973519872899739681987433964370864","length":3648},"signature_type":"Function"},{"deprecated":false,"target":{"function":"gf_isom_set_extraction_slc","file":"src/isomedia/isom_write.c"},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e","id":"CVE-2021-31258-b0a46259","digest":{"function_hash":"212030541430037658386937552276659384204","length":1038},"signature_type":"Function"},{"deprecated":false,"target":{"function":"gf_hinter_track_new","file":"src/media_tools/isom_hinter.c"},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e","id":"CVE-2021-31258-b987cc06","digest":{"function_hash":"191501682910234544732100356540988623355","length":10398},"signature_type":"Function"},{"deprecated":false,"target":{"file":"src/isomedia/isom_write.c"},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/ebfa346eff05049718f7b80041093b4c5581c24e","id":"CVE-2021-31258-fb702916","digest":{"line_hashes":["227718408228789048064985627527740910474","54977739924720519365670947084475811541","168597170443951711395261426255018734116","198785111809026613350662461408220335886","173339589024345270044873056453061851953","230281504719185982157164309706284803369","80623951809101107209873934467657455551","132786278438985534124625906195400243593","35380870174249906734613327619622366753","9083488159551905715355050900648687795","164644400157436864246531908615106085215","293507950621516326366231203972902870083","65466738529165524984898644288541299129","277399048657994215131697616686824185357","106105212666821748091817423852243024922","254564669850670643240633422548249399006"],"threshold":0.9},"signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31258.json","vanir_signatures_modified":"2026-04-11T17:12:26Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}