Skip to main content

GPAC MP4Box CVE-2025-55663

| EUVDEUVD-2025-210153 MEDIUM
NULL Pointer Dereference (CWE-476)
5.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
4.3 MEDIUM

File delivered remotely (AV:N), no complexity beyond crafting the MP4 (AC:L), no privileges needed (PR:N), but user must invoke MP4Box on the file (UI:R); crash-only impact means A:L with no C or I.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Severity Changed
Jun 15, 2026 - 21:22 NVD
HIGH MEDIUM
CVSS changed
Jun 15, 2026 - 21:22 NVD
5.5 (HIGH) 5.5 (MEDIUM)
Analysis Generated
Jun 13, 2026 - 22:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

NULL pointer dereference in GPAC's MP4Box media tool crashes the process when importing a crafted MP4 file containing an unknown svcC box nested inside an av01 parent box. The unsupported-box handling path in the ISOBMFF parser leaves the sample entry pointer uninitialized; Track_SetStreamDescriptor() at isomedia/track.c:1677 subsequently dereferences this invalid pointer during bitrate update processing without validation, producing a SEGV. No active exploitation has been confirmed (not in CISA KEV), but a public proof-of-concept MP4 file is available at the reporter's GitHub repository, and the CVSS-assigned severity is 4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its primary command-line tool for MP4 container manipulation, import, and export. In the ISO Base Media File Format (ISOBMFF), AV1 video is encapsulated using the 'av01' sample entry box. The 'svcC' box is a Scalable Video Coding configuration structure not expected inside an av01 context. When GPAC's parser encounters this unrecognized combination, the unsupported-box handling path does not initialize or validate the sample entry pointer before control passes to Track_SetStreamDescriptor() in isomedia/track.c. That function later dereferences the invalid pointer at line 1677 during a call chain originating in gf_isom_change_mpeg4_description() → gf_media_update_bitrate_ex() while the track import is still in progress. CWE-476 (NULL Pointer Dereference) accurately classifies the root cause: a missing null/validity check on a pointer that an earlier error path failed to populate. AddressSanitizer confirms the crash as a READ access at address 0x001e3fff8005, consistent with an uninitialized or zeroed pointer being used as a base for a field offset read.

RemediationAI

The upstream fix is available as commit 15a4ac2dff38cdbb8b43e7c84fb1595ee80d81ac in the GPAC GitHub repository; users building from source should update to a revision at or after this commit. A tagged patched release version has not been independently confirmed from the available data - organizations using packaged GPAC distributions should monitor the vendor's release channel and apply updates when a patched release is published. As a compensating control, restrict MP4Box from processing untrusted or externally supplied MP4 files until the patch is applied; in automated media pipelines, sandbox or jail the MP4Box process (e.g., with seccomp, containers, or a dedicated low-privilege user) so that a crash or potential exploitation does not propagate to adjacent systems. Filtering or rejecting MP4 files containing av01 tracks at an upstream ingestion layer is a targeted workaround but may disrupt legitimate AV1 content processing. Advisory details and PoC reference are available via https://seclists.org/oss-sec/2026/q2/914.

Share

CVE-2025-55663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy