CVE-2021-32274
Description
Heap-buffer-overflow in faad2's sbr_qmf_synthesis_64 function allows remote code execution via crafted AAC file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-buffer-overflow in faad2's sbr_qmf_synthesis_64 function allows remote code execution via crafted AAC file.
Vulnerability
In faad2 up to version 2.10.0, a heap-buffer-overflow exists in the function sbr_qmf_synthesis_64 located in sbr_qmf.c line 614 [1]. This occurs when processing specially crafted AAC files, leading to out-of-bounds memory write.
Exploitation
An attacker can exploit this vulnerability by providing a malicious AAC or MP4 file. No authentication is required; the user must open the file with faad2 (e.g., via faad utility or an application using the library) [1].
Impact
Successful exploitation allows an attacker to cause a heap-buffer-overflow, potentially leading to code execution with the privileges of the process using faad2 [1].
Mitigation
As of the publication date, no fix has been released in an official version. Users should monitor the faad2 repository for updates and avoid processing untrusted AAC files [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- faad2/faad2description
- Range: <=2.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in sbr_qmf_synthesis_64 allows a heap-buffer-overflow when writing synthesized QMF data."
Attack vector
An attacker supplies a crafted AAC audio file that triggers a heap-buffer-overflow when the decoder processes the spectral band replication (SBR) data. The overflow occurs during the QMF synthesis step in `sbr_qmf_synthesis_64`, writing 4 bytes past the end of a 4096-byte heap buffer allocated by `allocate_single_channel`. No authentication or special network access is required beyond delivering the malformed file to the decoder.
Affected code
The heap-buffer-overflow occurs in `sbr_qmf_synthesis_64` at `sbr_qmf.c:614:27` within the faad2 library (up to version 2.10.0). The call chain passes through `sbrDecodeSingleFrame`, `reconstruct_single_channel`, and `single_lfe_channel_element` during AAC decoding.
What the fix does
The advisory does not include a published patch. The root cause is a missing bounds check in `sbr_qmf_synthesis_64` that allows writing beyond the allocated buffer. A fix would need to validate the write index against the buffer size before performing the store at line 614, or ensure the allocated buffer is large enough for all possible SBR synthesis operations.
Preconditions
- configThe target must use a vulnerable version of faad2 (up to 2.10.0) to decode a crafted AAC file.
- inputThe attacker must supply a malformed AAC file that triggers the SBR QMF synthesis path.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.debian.org/security/2022/dsa-5109mitrevendor-advisoryx_refsource_DEBIAN
- github.com/knik0/faad2/issues/60mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/10/msg00020.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.