CVE-2021-32278

Vulnerability

A heap-buffer-overflow vulnerability exists in the lt_prediction function in lt_predict.c at line 108. The issue affects faad2 through version 2.10.0 and was confirmed on the latest master commit (f71b5e) at the time of disclosure [1]. The overflow occurs when processing a specially crafted AAC file, specifically during the reconstruction of a single channel in the spectral data decoding phase [1].

Exploitation

An attacker can trigger the vulnerability by supplying a malicious AAC file to the faad2 decoder. The provided reference demonstrates a proof of concept using the command ./frontend/faad -w -b 5 @@ on an Ubuntu x86_64 system compiled with AddressSanitizer [1]. No special privileges or user interaction beyond opening the file are required; the overflow is triggered during normal decoding as the file is parsed through faad_main --> decodeMP4file --> aac_frame_decode --> raw_data_block --> decode_sce_lfe --> reconstruct_single_channel --> lt_prediction [1].

Impact

Successful exploitation results in a heap-buffer-overflow read of size 2 bytes at a memory location 122 bytes to the left of an allocated region [1]. While the crash is a read overflow, the context of a heap overflow can be leveraged by an attacker to achieve code execution, as indicated in the official description of the CVE. The attacker gains the ability to execute arbitrary code with the privileges of the process running the faad2 decoder.

Mitigation

As of the publication date (2021-09-20), no official patch has been released for this vulnerability [1]. Users are advised to monitor the faad2 repository for updates and avoid processing untrusted AAC files with affected versions (<= 2.10.0). The issue is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.