CVE-2021-32273
Description
A stack-buffer-overflow in faad2's mp4read.c ftypin function allows remote code execution via crafted MP4 file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-buffer-overflow in faad2's mp4read.c ftypin function allows remote code execution via crafted MP4 file.
Vulnerability
A stack-buffer-overflow vulnerability exists in the ftypin function in mp4read.c of faad2 through version 2.10.0 [1]. The function reads a 41-byte string into a 40-byte stack buffer buf (line 128), causing a buffer overflow when processing a crafted MP4 file's ftyp atom. The overflow is triggered during parsing of the MP4 file header.
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted MP4 file to the faad decoder. No authentication or special privileges are required; the victim only needs to open the malicious file using the faad command-line tool (e.g., ./frontend/faad -w -b 5 crafted.mp4). The overflow occurs in the ftypin function at mp4read.c:141 when fprintf is called with the oversized buffer.
Impact
Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the faad process. The stack-based overflow can overwrite return addresses and other critical data, leading to control-flow hijacking.
Mitigation
As of the publication date (2021-09-20), no official patch has been released for this vulnerability. Users are advised to avoid processing untrusted MP4 files with faad2 versions up to 2.10.0 until a fix is available. The issue is tracked in the project's GitHub repository [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- faad2/faad2description
- Range: <=2.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stack buffer overflow in ftypin: a 40-byte local buffer is read with fprintf beyond its allocated size."
Attack vector
An attacker supplies a crafted MP4 file that triggers a stack-buffer-overflow in the `ftypin` function when faad2 parses the file's ftyp atom. The overflow is a read of 41 bytes from a 40-byte stack buffer (`buf`), which can lead to code execution [ref_id=1]. No authentication or special network access is required beyond delivering the malicious file to the decoder.
Affected code
The vulnerability is in the function `ftypin` in `mp4read.c` at line 141, where a `fprintf` call reads beyond the bounds of the stack buffer `buf` (declared at line 128). The crash occurs during `mp4read_open` → `parse` → `ftypin` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the root cause as a stack-buffer-overflow in `ftypin` at line 141 of `mp4read.c`, where `fprintf` reads past the end of the 40-byte local buffer `buf`. A fix would need to ensure the buffer is large enough for the data being printed or that the data is truncated before being passed to `fprintf`.
Preconditions
- inputThe attacker must provide a crafted MP4 file that causes the ftyp atom data to exceed the 40-byte stack buffer.
- configThe victim must process the file with faad2 (e.g., via the `faad` frontend).
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.debian.org/security/2022/dsa-5109mitrevendor-advisoryx_refsource_DEBIAN
- github.com/knik0/faad2/issues/56mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.