CVE-2021-32276
Description
A NULL pointer dereference in faad2 up to 2.10.0 allows denial of service via a crafted AAC file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in faad2 up to 2.10.0 allows denial of service via a crafted AAC file.
Vulnerability
A NULL pointer dereference vulnerability exists in the get_sample() function located in output.c of faad2, affecting versions through 2.10.0. The issue occurs when processing a crafted AAC file, leading to a segmentation fault at line 49 of output.c[1].
Exploitation
An attacker can trigger this vulnerability by providing a specially crafted AAC file to the faad2 frontend, for example with the command ./frontend/faad -w -b 5 . No authentication or special privileges are required; the attack vector is local and relies on the user processing the malicious file. The crash is reproducible with the AddressSanitizer as shown in the reference[1].
Impact
Successful exploitation results in a denial of service (DoS) due to a segmentation fault. The crash causes the application to terminate abnormally. No disclosure of sensitive information or code execution is indicated; the impact is limited to availability[1].
Mitigation
As of the reference publication (September 2021), no patched version has been released. Users should monitor the faad2 repository for updates. If the software is not required, consider removing it or avoiding processing untrusted AAC files. The CVE is not listed in the KEV as of this writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- faad2/faad2description
- Range: <=2.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"NULL pointer dereference in get_sample() at output.c:49 when decoding a crafted AAC/MP4 file."
Attack vector
An attacker provides a crafted AAC/MP4 file that causes a NULL pointer dereference in the `get_sample()` function [ref_id=1]. The file is processed by the faad decoder, which reads from a NULL address, resulting in a segmentation fault. No authentication or special network access is required beyond delivering the malformed media file to the victim's faad-based application.
Affected code
The crash occurs in `get_sample()` at `libfaad/output.c:49:16`, called from `to_PCM_double()` at line 390 and `output_to_PCM()` at line 427, ultimately triggered via `aac_frame_decode()` in `libfaad/decoder.c:1176:21` and `decodeMP4file()` in `frontend/main.c:916:25`.
What the fix does
The advisory does not include a patch. The issue report [ref_id=1] identifies the crash location but does not provide a fix. To remediate, the `get_sample()` function must validate that the sample pointer is non-NULL before dereferencing it, or the caller must ensure that only valid sample data reaches the output stage.
Preconditions
- inputThe attacker must supply a malformed AAC or MP4 file that triggers the NULL pointer dereference in get_sample().
- configThe victim must process the crafted file using faad2 (e.g., via the `faad` command-line tool or an application using libfaad).
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.debian.org/security/2022/dsa-5109mitrevendor-advisoryx_refsource_DEBIAN
- github.com/knik0/faad2/issues/58mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/10/msg00020.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.