CVE-2026-36908 axiomatic-systems CVE debrief

Who should care

Organizations using Bento4 versions before v1.8.9 should be aware of this vulnerability and take steps to mitigate it. This vulnerability can be exploited via a crafted MP4 file, which can cause a Denial of Service (DoS). The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM.

Technical summary

The vulnerability is a stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of Bento4. This occurs when the EnsureCapacity function is called with a large value, causing the stack to overflow. An attacker can exploit this vulnerability by providing a crafted MP4 file that triggers the EnsureCapacity function with a large value, resulting in a Denial of Service (DoS). The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM.

Defensive priority

The defensive priority for this vulnerability is MEDIUM. Organizations should prioritize patching Bento4 versions before v1.8.9 to mitigate this vulnerability.

Recommended defensive actions

• Patch Bento4 to version 1.8.9 or later
• Restrict access to MP4 file processing to trusted sources
• Monitor for suspicious MP4 file activity
• Implement additional security controls to detect and prevent exploitation
• Review and update incident response plans to address potential DoS attacks

Evidence notes

The CVE record was published on 2026-06-26T22:16:31.747Z and last modified on 2026-06-29T14:16:50.210Z. The vulnerability affects Bento4 versions before v1.8.9. The CVSS score is 5.5 and the severity is MEDIUM.

Official resources