Home

Description

A vulnerability was detected in CCExtractor up to 0.96.5. Affected is the function processmp4 in the library src/lib_ccx/mp4.c. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 0.96.6 is able to address this issue. The patch is named fd7271bae238ccb3ae8a71304ea64f0886324925. You should upgrade the affected component.

PUBLISHED Reserved 2026-02-20 | Published 2026-02-21 | Updated 2026-02-23 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
1.7AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C

Problem types

Use After Free

Memory Corruption

Timeline

2026-02-20:Advisory disclosed
2026-02-20:VulDB entry created
2026-02-20:VulDB entry last update

Credits

Oneafter (VulDB User) reporter

References

vuldb.com/?id.347182 (VDB-347182 | CCExtractor mp4.c processmp4 use after free) vdb-entry technical-description

vuldb.com/?ctiid.347182 (VDB-347182 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.755029 (Submit #755029 | CCExtractor ccextractor c65fb08 Memory Corruption) third-party-advisory

github.com/CCExtractor/ccextractor/issues/2055 issue-tracking

github.com/CCExtractor/ccextractor/pull/2057 issue-tracking

github.com/oneafter/0123/blob/main/cc3/repro exploit

github.com/...ommit/fd7271bae238ccb3ae8a71304ea64f0886324925 patch

github.com/CCExtractor/ccextractor/releases/tag/v0.96.6 patch

github.com/CCExtractor/ccextractor/ product

cve.org (CVE-2026-2889)

nvd.nist.gov (CVE-2026-2889)

Download JSON