GHSA-pm88-9xjw-ghxf
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
File delivered remotely (AV:N), no complexity beyond crafting the MP4 (AC:L), no privileges needed (PR:N), but user must invoke MP4Box on the file (UI:R); crash-only impact means A:L with no C or I.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
NULL pointer dereference in GPAC's MP4Box media tool crashes the process when importing a crafted MP4 file containing an unknown svcC box nested inside an av01 parent box. The unsupported-box handling path in the ISOBMFF parser leaves the sample entry pointer uninitialized; Track_SetStreamDescriptor() at isomedia/track.c:1677 subsequently dereferences this invalid pointer during bitrate update processing without validation, producing a SEGV. No active exploitation has been confirmed (not in CISA KEV), but a public proof-of-concept MP4 file is available at the reporter's GitHub repository, and the CVSS-assigned severity is 4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
Technical ContextAI
GPAC is an open-source multimedia framework; MP4Box is its primary command-line tool for MP4 container manipulation, import, and export. In the ISO Base Media File Format (ISOBMFF), AV1 video is encapsulated using the 'av01' sample entry box. The 'svcC' box is a Scalable Video Coding configuration structure not expected inside an av01 context. When GPAC's parser encounters this unrecognized combination, the unsupported-box handling path does not initialize or validate the sample entry pointer before control passes to Track_SetStreamDescriptor() in isomedia/track.c. That function later dereferences the invalid pointer at line 1677 during a call chain originating in gf_isom_change_mpeg4_description() → gf_media_update_bitrate_ex() while the track import is still in progress. CWE-476 (NULL Pointer Dereference) accurately classifies the root cause: a missing null/validity check on a pointer that an earlier error path failed to populate. AddressSanitizer confirms the crash as a READ access at address 0x001e3fff8005, consistent with an uninitialized or zeroed pointer being used as a base for a field offset read.
RemediationAI
The upstream fix is available as commit 15a4ac2dff38cdbb8b43e7c84fb1595ee80d81ac in the GPAC GitHub repository; users building from source should update to a revision at or after this commit. A tagged patched release version has not been independently confirmed from the available data - organizations using packaged GPAC distributions should monitor the vendor's release channel and apply updates when a patched release is published. As a compensating control, restrict MP4Box from processing untrusted or externally supplied MP4 files until the patch is applied; in automated media pipelines, sandbox or jail the MP4Box process (e.g., with seccomp, containers, or a dedicated low-privilege user) so that a crash or potential exploitation does not propagate to adjacent systems. Filtering or rejecting MP4 files containing av01 tracks at an upstream ingestion layer is a targeted workaround but may disrupt legitimate AV1 content processing. Advisory details and PoC reference are available via https://seclists.org/oss-sec/2026/q2/914.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210153