CVE-2026-2889

A vulnerability was detected in CCExtractor up to 0.96.5. Affected is the function processmp4 in the library src/lib_ccx/mp4.c. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 0.96.6 is able to address this issue. The patch is named fd7271bae238ccb3ae8a71304ea64f0886324925. You should upgrade the affected component.

CVSS v3 3.3 LOW
CVSS v2.0 1.7 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 3.1 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/CCExtractor/ccextractor/
https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925
https://github.com/CCExtractor/ccextractor/issues/2055
https://github.com/CCExtractor/ccextractor/pull/2057
https://github.com/CCExtractor/ccextractor/releases/tag/v0.96.6
https://github.com/oneafter/0123/blob/main/cc3/repro
https://vuldb.com/?ctiid.347182
https://vuldb.com/?id.347182
https://vuldb.com/?submit.755029

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se detectó una vulnerabilidad en CCExtractor hasta 0.96.5 que afecta a la función processmp4 en la biblioteca src/lib_ccx/mp4.c. Manipularlo provoca un use after free. El ataque solo es posible con acceso local. El exploit ahora es público y puede ser usado. La actualización 0.96.6 es capaz de solventar este problema. El parche se llama fd7271bae238ccb3ae8a71304ea64f0886324925. Debería actualizar el componente afectado.

21 Feb 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-21 22:15

Updated : 2026-04-29 01:00

NVD link : CVE-2026-2889

Mitre link : CVE-2026-2889

CVE.ORG link : CVE-2026-2889

JSON object : View

Products Affected

No product.

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-416

Use After Free

{"id": "CVE-2026-2889", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 1.7, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.1, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-21T22:15:59.353", "references": [{"url": "https://github.com/CCExtractor/ccextractor/", "source": "cna@vuldb.com"}, {"url": "https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925", "source": "cna@vuldb.com"}, {"url": "https://github.com/CCExtractor/ccextractor/issues/2055", "source": "cna@vuldb.com"}, {"url": "https://github.com/CCExtractor/ccextractor/pull/2057", "source": "cna@vuldb.com"}, {"url": "https://github.com/CCExtractor/ccextractor/releases/tag/v0.96.6", "source": "cna@vuldb.com"}, {"url": "https://github.com/oneafter/0123/blob/main/cc3/repro", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.347182", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.347182", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.755029", "source": "cna@vuldb.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in CCExtractor up to 0.96.5. Affected is the function processmp4 in the library src/lib_ccx/mp4.c. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 0.96.6 is able to address this issue. The patch is named fd7271bae238ccb3ae8a71304ea64f0886324925. You should upgrade the affected component."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en CCExtractor hasta 0.96.5 que afecta a la funci\u00f3n processmp4 en la biblioteca src/lib_ccx/mp4.c. Manipularlo provoca un use after free. El ataque solo es posible con acceso local. El exploit ahora es p\u00fablico y puede ser usado. La actualizaci\u00f3n 0.96.6 es capaz de solventar este problema. El parche se llama fd7271bae238ccb3ae8a71304ea64f0886324925. Deber\u00eda actualizar el componente afectado."}], "lastModified": "2026-04-29T01:00:01.613", "sourceIdentifier": "cna@vuldb.com"}