{"id":"CVE-2021-33361","details":"Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.","modified":"2026-04-11T17:25:58.027987Z","published":"2021-09-13T20:15:08.510Z","references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5411"},{"type":"FIX","url":"https://github.com/gpac/gpac/issues/1782"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"last_affected":"d8538e8ae946b32d99c6b2c57cbb327146e9cd9d"},{"fixed":"a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.1"}]}}],"versions":["v0.5.2","v0.6.0","v0.7.0","v0.7.1","v0.9.0","v0.9.0-preview","v1.0.0","v1.0.1"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/gpac/gpac/commit/a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f","signature_version":"v1","target":{"file":"src/isomedia/box_code_adobe.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["173257933732895657791454856072550826614","335272942177535874662589193357733262801","325158472612267962414184621803428462934","251320005709277231234078755258523288097","288378636506204222685295060043339577644","336729436209302758293688035213458080050","78358940734272799868297090819371091041","309287822199362503481384769860411503329","256896105000039859550390821306006879784","33365563588096817325450385196559786397","18803994370916686041898023545193148103","104951466860376530318190474253865623106","83226274969225481578923699586586262345","162590810915219860779888630376840113288","165543997710540366462314263695688073375","215383182475346542705963808831546610224"]},"deprecated":false,"id":"CVE-2021-33361-2a794e70"},{"source":"https://github.com/gpac/gpac/commit/a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f","signature_version":"v1","target":{"file":"applications/mp4box/main.c","function":"mp4box_cleanup"},"signature_type":"Function","digest":{"length":2834,"function_hash":"73015870715061305347187311939351552826"},"deprecated":false,"id":"CVE-2021-33361-526fa629"},{"source":"https://github.com/gpac/gpac/commit/a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f","signature_version":"v1","target":{"file":"src/isomedia/box_code_adobe.c","function":"afra_box_read"},"signature_type":"Function","digest":{"length":1876,"function_hash":"122312135528555279617764607133896215776"},"deprecated":false,"id":"CVE-2021-33361-b22a6461"},{"source":"https://github.com/gpac/gpac/commit/a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f","signature_version":"v1","target":{"file":"applications/mp4box/main.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["44677966355079213415483734452131210546","277717650748245688562838150451199775608","164442005580115004913675099071449988250","313641165189259567567760258612648201704"]},"deprecated":false,"id":"CVE-2021-33361-b9b19e16"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33361.json","vanir_signatures_modified":"2026-04-11T17:25:58Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}