CVE-2024-30809 Overview
CVE-2024-30809 is a heap use-after-free vulnerability [CWE-416] in Axiosys Bento4 version v1.6.0-641-2-g1529b83. The flaw resides in Ap4Sample.h within the AP4_Sample::GetOffset() const method. An attacker can trigger the condition by supplying a crafted MP4 file to tools that link against the library, such as mp42ts. Successful exploitation results in a Denial of Service (DoS) condition when the affected process accesses freed heap memory. The vulnerability is network-reachable when Bento4 components process untrusted media files in pipelines, conversion services, or media servers.
Critical Impact
Remote attackers can crash applications built on Bento4 by delivering a malformed MP4 file, disrupting media processing workflows that rely on mp42ts or related utilities.
Affected Products
- Axiosys Bento4 v1.6.0-641-2-g1529b83
- Bento4 mp42ts conversion utility
- Downstream applications and services that embed the affected Bento4 library version
Discovery Timeline
- 2024-04-02 - CVE-2024-30809 published to the National Vulnerability Database (NVD)
- 2025-05-27 - Last updated in NVD database
Technical Details for CVE-2024-30809
Vulnerability Analysis
The vulnerability is classified under [CWE-416] Use After Free. Bento4 parses MP4 containers and constructs AP4_Sample objects representing individual media samples. The AP4_Sample::GetOffset() accessor in Ap4Sample.h reads from an internal data structure that can be freed earlier in the parsing sequence. When mp42ts or similar utilities subsequently invoke GetOffset() on the dangling reference, the process accesses freed heap memory. The result is a deterministic crash that terminates the media processing operation.
Root Cause
The root cause is improper lifetime management of heap-allocated sample data inside AP4_Sample. The object retains references to memory that has been released along an earlier code path. The const accessor GetOffset() performs no validity check on its backing storage before dereferencing it. Crafted MP4 atom sequences reach the freed state and then exercise the accessor.
Attack Vector
The attack vector is network-accessible processing of untrusted MP4 input. An attacker delivers a malformed MP4 file to any service or workflow that invokes Bento4 utilities. Examples include media transcoding APIs, content ingestion pipelines, and streaming preparation tools. Exploitation requires no authentication and no user interaction beyond submitting the file. The impact is limited to availability — the process aborts but confidentiality and integrity are not affected.
// No verified proof-of-concept code is published. See GitHub Issue #937
// for the reproducer description and crash trace.
Detection Methods for CVE-2024-30809
Indicators of Compromise
- Unexpected termination or SIGSEGV crashes of mp42ts or other Bento4-linked binaries when processing MP4 files
- Heap corruption traces in core dumps referencing AP4_Sample::GetOffset in Ap4Sample.h
- Repeated submission of malformed MP4 files to media ingestion endpoints from a single source
Detection Strategies
- Monitor process exit codes and crash counts for media processing workers that depend on Bento4
- Enable AddressSanitizer (ASan) builds in test environments to surface use-after-free conditions during MP4 parsing
- Inspect MP4 inputs for malformed stbl, stsz, or stco atoms that misalign sample offsets
Monitoring Recommendations
- Alert on abnormal crash rates in media transcoding services and correlate with originating file hashes
- Capture and quarantine MP4 files that trigger Bento4 crashes for offline analysis
- Track Bento4 binary versions across build pipelines to confirm patched releases are deployed
How to Mitigate CVE-2024-30809
Immediate Actions Required
- Inventory all systems and container images that ship mp42ts or link against Bento4 v1.6.0-641-2-g1529b83
- Restrict Bento4-based media processing to sandboxed workers with restart-on-crash supervision
- Validate uploaded MP4 files against expected size, atom structure, and source before invoking Bento4
Patch Information
No vendor security advisory or fixed release is referenced in the NVD record. Track upstream activity through GitHub Issue #937 and the CVE-2024-30809 information repository. Until an official fix lands, build Bento4 from a newer commit on the master branch and verify the crash no longer reproduces with the published test case.
Workarounds
- Run Bento4 utilities under process isolation with strict CPU, memory, and time limits to contain DoS impact
- Reject MP4 uploads that fail structural validation in an upstream parser before reaching Bento4
- Replace mp42ts with an alternative MPEG-TS muxer for untrusted input where feasible
# Example: run mp42ts in a constrained sandbox with timeout and resource limits
timeout 30s \
systemd-run --scope -p MemoryMax=512M -p CPUQuota=50% \
mp42ts /input/untrusted.mp4 /output/stream.ts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
