Cyber Resilience

CVE-2024-24155

MediumPublic PoC

Published: 29 February 2024

Published
29 February 2024
Modified
16 January 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.0020 42.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24155 is a medium-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Axiosys Bento4. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Bento4 v1.5.1-628 contains a Memory leak on AP4_Movie::AP4_Movie, parsing tracks and added into m_Tracks list, but mp42aac cannot correctly delete when we got an no audio track found error. This vulnerability allows attackers to cause a Denial of Service (DoS)…

more

via a crafted mp4 file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Memory leak in Bento4 MP4 parser (mp42aac) enables denial of service via crafted MP4 file, facilitating endpoint DoS through application exploitation.

Affected Assets

axiosys
bento4
1.5.1-628

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References