GPAC MP4Box CVE-2025-55657
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
AnalysisAI
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a malicious MP4 file that triggers a NULL pointer dereference in the VVC (Versatile Video Coding) configuration writer. The flaw resides in gf_odf_vvc_cfg_write_bs within odf/descriptors.c and requires no authentication or user privileges beyond convincing the target to process the crafted file. No public exploit identified at time of analysis, and SSVC indicates exploitation has not been observed despite the issue being automatable.
Technical ContextAI
GPAC is an open-source multimedia framework whose MP4Box utility is widely used for packaging, multiplexing, and inspecting ISO Base Media File Format (MP4) content, including modern codecs such as VVC/H.266. The vulnerable routine gf_odf_vvc_cfg_write_bs serializes a VVC decoder configuration record into a bitstream and, per CWE-476 (NULL Pointer Dereference), fails to validate that a pointer derived from the parsed input is non-NULL before dereferencing it. Malformed VVC configuration structures embedded in an MP4 container therefore cause the process to crash. CPE data is not populated in NVD (cpe:2.3:a:n/a:n/a:*), so affected scope must be derived from the description, which explicitly cites GPAC MP4Box v2.4.
RemediationAI
No vendor-released patch identified at time of analysis; the only public reference is an infosec.exchange post (https://infosec.exchange/@sigdevel/116710754169365223) with no linked commit or fixed release. Monitor the GPAC GitHub repository (gpac/gpac) for a patched release beyond 2.4 and upgrade once available. As compensating controls, avoid processing untrusted MP4 files with MP4Box on production or shared systems; if MP4Box is invoked from an automated pipeline or web-facing transcoder, sandbox the process (seccomp, containers, or a dedicated low-privilege user) and enforce automatic restarts so a crash does not halt the pipeline, accepting the trade-off of slightly higher operational complexity. Pre-validate input files with a stricter parser or reject files containing VVC tracks if VVC support is not required, noting this will block legitimate VVC content.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today