Skip to main content

GPAC MP4Box CVE-2025-15668

| EUVDEUVD-2025-210430 LOW
Heap-based Buffer Overflow (CWE-122)
2026-07-06 VulDB GHSA-3wg7-wrw9-8qvf
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local-only vector with low privileges; sole impact is application availability (crash); no confidentiality or integrity compromise is possible.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jul 06, 2026 - 12:22 NVD
MEDIUM LOW
CVSS changed
Jul 06, 2026 - 12:22 NVD
4.8 (MEDIUM) 1.9 (LOW)
Analysis Generated
Jul 06, 2026 - 12:21 vuln.today

DescriptionCVE.org

A vulnerability was identified in GPAC up to b40ce70f5. This issue affects the function sgpd_del_entry of the file src/isomedia/box_code_base.c of the component MP4Box. Such manipulation of the argument data leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is f29f955f2a3b5e8e507caad3e52319f961bf37bf. It is advisable to implement a patch to correct this issue.

AnalysisAI

Heap-based buffer overflow in GPAC's MP4Box component allows a local low-privileged attacker to crash the application by supplying a crafted MP4 file. The vulnerable function sgpd_del_entry in src/isomedia/box_code_base.c mishandles the data argument during Sample Group Description Box parsing, triggering an out-of-bounds heap write. A public proof-of-concept exploit exists; however, the vulnerability is not in CISA KEV and the CVSS 4.0 score of 4.8 reflects limited availability-only impact with no confidentiality or integrity compromise.

Technical ContextAI

GPAC is an open-source multimedia framework for ISO Base Media File Format (ISOBMFF/MP4) processing; MP4Box is its command-line muxing and inspection tool. The vulnerable code path is in src/isomedia/box_code_base.c within the sgpd_del_entry function, which handles deletion of Sample Group Description (SGPD) box entries during MP4 parsing. CWE-122 (Heap-based Buffer Overflow) identifies the root cause: the function writes beyond the bounds of a heap-allocated buffer when processing a malformed data argument from a crafted MP4 container. The CPE cpe:2.3:a:n/a:gpac:*:*:*:*:*:*:*:* covers all GPAC versions up to commit b40ce70f5, indicating the flaw predates the upstream patch applied at f29f955f2a3b5e8e507caad3e52319f961bf37bf.

RemediationAI

Apply upstream patch commit f29f955f2a3b5e8e507caad3e52319f961bf37bf from the GPAC GitHub repository at https://github.com/gpac/gpac/commit/f29f955f2a3b5e8e507caad3e52319f961bf37bf. Because no specific tagged release incorporating this fix was confirmed in available data, users should rebuild GPAC from a source tree at or after this commit and monitor the GPAC releases page for an official patched release. As a compensating control where patching is not immediately possible, restrict execution of MP4Box to trusted users only and avoid ingesting untrusted or externally sourced MP4 files in automated pipelines; this eliminates the attacker-controlled input path required for exploitation. The VulDB advisory with additional context is available at https://vuldb.com/cve/CVE-2025-15668.

More in Gpac

View all
CVE-2023-46932 CRITICAL POC
9.8 Dec 09

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra

CVE-2023-2840 CRITICAL POC
9.8 May 22

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-36190 CRITICAL POC
9.8 Aug 17

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit

CVE-2022-1795 CRITICAL POC
9.8 May 18

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2021-28300 CRITICAL POC
9.8 Apr 14

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e

CVE-2020-11558 CRITICAL POC
9.8 Apr 05

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this

CVE-2018-13005 CRITICAL POC
9.8 Jun 29

An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2023-2838 CRITICAL POC
9.1 May 22

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2023-0841 HIGH POC
8.8 Feb 15

A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit

CVE-2022-4202 HIGH POC
8.8 Nov 29

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev

CVE-2021-21850 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

CVE-2021-21849 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

Share

CVE-2025-15668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy