{"id":"CVE-2021-40592","details":"GPAC version before commit 71460d72ec07df766dab0a4d52687529f3efcf0a (version v1.0.1 onwards) contains loop with unreachable exit condition ('infinite loop') vulnerability in ISOBMFF reader filter, isoffin_read.c. Function isoffin_process() can result in DoS by infinite loop. To exploit, the victim must open a specially crafted mp4 file.","modified":"2026-04-11T21:23:24.112854Z","published":"2022-06-08T18:15:08.173Z","references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5411"},{"type":"REPORT","url":"https://github.com/gpac/gpac/issues/1876"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"fixed":"d8538e8ae946b32d99c6b2c57cbb327146e9cd9d"},{"fixed":"71460d72ec07df766dab0a4d52687529f3efcf0a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.0.1"}]}}],"versions":["v0.5.2","v0.6.0","v0.7.0","v0.7.1","v0.9.0","v0.9.0-preview","v1.0.0"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","source":"https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a","digest":{"function_hash":"202191313209902171335378986350380797408","length":9072},"deprecated":false,"signature_version":"v1","target":{"file":"src/filters/isoffin_read_ch.c","function":"isor_reader_get_sample"},"id":"CVE-2021-40592-17508495"},{"signature_type":"Function","source":"https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a","digest":{"function_hash":"141052902239343278485534183727623172022","length":9019},"deprecated":false,"signature_version":"v1","target":{"file":"src/filters/isoffin_read.c","function":"isoffin_process"},"id":"CVE-2021-40592-1ecfb922"},{"signature_type":"Line","source":"https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a","digest":{"threshold":0.9,"line_hashes":["217346045157420343689342954955354570760","28429304569143555352521589664605251870","19564312157577017485839088500722397301","248506551501105414112911258771177395436"]},"deprecated":false,"signature_version":"v1","target":{"file":"src/filters/isoffin_read_ch.c"},"id":"CVE-2021-40592-47f27bea"},{"signature_type":"Line","source":"https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a","digest":{"threshold":0.9,"line_hashes":["269607663013451237892082978423129001957","78264318460833771803993246514488890513","216475824157634277260477925796926446347","249496714320650266986933671096981724511"]},"deprecated":false,"signature_version":"v1","target":{"file":"src/filters/isoffin_read.c"},"id":"CVE-2021-40592-c88a80ee"}],"vanir_signatures_modified":"2026-04-11T21:23:24Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40592.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}