CVE-2024-24155 is a vulnerability identified in Bento4 version 1.5.1-628, a widely used open-source MP4 processing library. The flaw is a memory leak occurring in the AP4_Movie constructor function, specifically when parsing media tracks and adding them to the internal m_Tracks list. The root cause is that the mp42aac component does not correctly free allocated memory if it encounters an error condition where no audio track is found. This improper memory management leads to a leak, which can be triggered by a specially crafted MP4 file designed to exploit this logic path. The consequence is a Denial of Service (DoS) attack, where the targeted application or system processing the malicious MP4 file consumes increasing amounts of memory, potentially exhausting system resources and causing crashes or degraded performance. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction (processing the file). The impact is limited to availability, with no confidentiality or integrity loss. No patches or fixes have been published yet, and no active exploits are known. The vulnerability is tracked under CWE-401 (Improper Release of Memory).

The primary impact of CVE-2024-24155 is a Denial of Service condition caused by memory exhaustion. Organizations that use Bento4 for media processing, streaming services, or any application that parses MP4 files could experience application crashes or degraded service availability if they process maliciously crafted MP4 files. This can disrupt media delivery, degrade user experience, and potentially cause downtime in services relying on Bento4. Since the vulnerability requires user interaction (processing a crafted file), automated systems ingesting untrusted media files are at risk. While the vulnerability does not compromise confidentiality or integrity, the availability impact can be significant for media platforms, content delivery networks, and any service that relies on Bento4 for MP4 parsing. The lack of a patch increases exposure until a fix is released.

To mitigate this vulnerability, organizations should implement strict input validation and filtering to block or quarantine untrusted or suspicious MP4 files before processing. Employ sandboxing or isolated environments for media file processing to contain potential DoS effects. Monitor memory usage of applications using Bento4 to detect abnormal consumption patterns indicative of exploitation attempts. Avoid using vulnerable versions of Bento4 in production environments until a patch is available. If possible, update to newer versions of Bento4 once the vendor releases a fix addressing this memory leak. Additionally, implement rate limiting and resource quotas on media processing services to reduce the impact of potential DoS attacks. Security teams should also maintain awareness of Bento4 updates and CVE advisories to apply patches promptly.