Skip to main content

GPAC MP4Box CVE-2025-55651

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-09 mitre
5.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 10, 2026 - 15:36 vuln.today
CVSS changed
Jun 10, 2026 - 15:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

AnalysisAI

NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when parsing a maliciously crafted MP4 file, enabling a Denial of Service against any user or pipeline that processes untrusted media with this tool. The flaw resides in gf_isom_get_user_data_count within isomedia/isom_read.c, where an unvalidated pointer is dereferenced during user-data atom counting. Publicly available exploit code exists as a crafted MP4 PoC, though no public exploit identified at time of analysis in CISA KEV and EPSS sits at the 5th percentile, suggesting minimal observed exploitation activity.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its ISO Base Media File Format (ISOBMFF/MP4) muxing and analysis CLI tool. The vulnerable function gf_isom_get_user_data_count in isomedia/isom_read.c is responsible for traversing user-data (UDTA) boxes within an MP4 container to count embedded metadata entries. CWE-476 (NULL Pointer Dereference) indicates that a pointer - likely a box or track handle - is not validated before dereferencing, meaning a specially constructed MP4 that omits or malforms expected structures causes a null deref and process crash. The CPE data provided (cpe:2.3:a:n/a:n/a) is generic and not vendor-attributed by NVD, so version scope beyond the stated v2.4 is unconfirmed from available data.

RemediationAI

No vendor-released patch identified at time of analysis. No official GPAC security advisory was found among the provided references. As a compensating control, avoid passing untrusted or externally sourced MP4 files to MP4Box in automated pipelines - restrict input to files from trusted, integrity-verified sources only. For processing pipelines that must handle untrusted media, run MP4Box inside an isolated container or sandbox (e.g., seccomp-restricted Docker container or gVisor) to limit crash blast radius to the sandboxed process. If MP4Box is used interactively, advise users not to process MP4 files from unknown sources until a patch is confirmed. Monitor the GPAC GitHub repository (https://github.com/gpac/gpac) for commits addressing gf_isom_get_user_data_count in isomedia/isom_read.c as an indicator of an upstream fix.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2025-55651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy