{"id":"CVE-2026-2889","details":"A vulnerability was detected in CCExtractor up to 0.96.5. Affected is the function processmp4 in the library src/lib_ccx/mp4.c. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 0.96.6 is able to address this issue. The patch is named fd7271bae238ccb3ae8a71304ea64f0886324925. You should upgrade the affected component.","modified":"2026-04-12T20:28:22.818786Z","published":"2026-02-21T22:15:59.353Z","references":[{"type":"WEB","url":"https://github.com/CCExtractor/ccextractor/releases/tag/v0.96.6"},{"type":"WEB","url":"https://github.com/oneafter/0123/blob/main/cc3/repro"},{"type":"WEB","url":"https://vuldb.com/?id.347182"},{"type":"WEB","url":"https://vuldb.com/?submit.755029"},{"type":"WEB","url":"https://vuldb.com/?ctiid.347182"},{"type":"WEB","url":"https://github.com/CCExtractor/ccextractor/"},{"type":"REPORT","url":"https://github.com/CCExtractor/ccextractor/issues/2055"},{"type":"FIX","url":"https://github.com/CCExtractor/ccextractor/pull/2057"},{"type":"FIX","url":"https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ccextractor/ccextractor","events":[{"introduced":"0"},{"fixed":"fd7271bae238ccb3ae8a71304ea64f0886324925"}]},{"type":"GIT","repo":"https://github.com/ccextractor/ccextractor","events":[{"introduced":"0"},{"fixed":"185631dcb0217b4ad09d43009cb69f0593996a5d"}]}],"versions":["v0.70","v0.73","v0.74","v0.75","v0.76","v0.77","v0.78","v0.79","v0.83","v0.84","v0.85","v0.85b","v0.86","v0.87","v0.88","v0.89","v0.90","v0.91","v0.92","v0.93","v0.94","v0.96","v0.96.1","v0.96.2","v0.96.3","v0.96.4","v0.96.5"],"database_specific":{"vanir_signatures_modified":"2026-04-12T20:28:22Z","vanir_signatures":[{"digest":{"line_hashes":["268084206463964796024015378500305838941","254774608404346571179725158523098331095","181555103938976803185625693980704197134","13895809837220784386125091335733592582"],"threshold":0.9},"source":"https://github.com/ccextractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925","id":"CVE-2026-2889-2da52f3c","signature_version":"v1","deprecated":false,"target":{"file":"src/lib_ccx/mp4.c"},"signature_type":"Line"},{"digest":{"function_hash":"168783320918762457692703000749359075553","length":9778},"source":"https://github.com/ccextractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925","id":"CVE-2026-2889-3dcf91e3","signature_version":"v1","deprecated":false,"target":{"file":"src/lib_ccx/ts_tables.c","function":"parse_PMT"},"signature_type":"Function"},{"digest":{"function_hash":"319390203887814197306087676168967181488","length":9048},"source":"https://github.com/ccextractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925","id":"CVE-2026-2889-6643399d","signature_version":"v1","deprecated":false,"target":{"file":"src/lib_ccx/mp4.c","function":"processmp4"},"signature_type":"Function"},{"digest":{"function_hash":"163437826467338751066847268261177864261","length":3574},"source":"https://github.com/ccextractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925","id":"CVE-2026-2889-a9c8aa4a","signature_version":"v1","deprecated":false,"target":{"file":"src/lib_ccx/ts_tables.c","function":"parse_PAT"},"signature_type":"Function"},{"digest":{"line_hashes":["262233263044280559635643805212158708491","186397457794567455341493973677993329934","144833588488660765080911707542795417449","222701608767875312846042142437623115307","72091544595478024960231427334144362229","274910035117258086469502219878236509258","98069193800936354371588285816871594953","287258658584949710030799267683252424354","322249709969136488743348381363505130157","133971348316274134195358327798707233385","192690021554753830910145047033638215929","165996735762037891307360703542698719073","20631365143687003979010250023609770440","299941716532484618942222197046988800391","140964611875614036063826884500367932259","216120134842979986078832162294962308555"],"threshold":0.9},"source":"https://github.com/ccextractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925","id":"CVE-2026-2889-bb458d24","signature_version":"v1","deprecated":false,"target":{"file":"src/lib_ccx/ts_tables.c"},"signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2889.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}]}