Skip to main content

GPAC MP4Box CVE-2025-55664

| EUVDEUVD-2025-210002 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-06-01 cve@mitre.org GHSA-gc4c-qf5m-fp82
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 17:31 vuln.today
Analysis Generated
Jun 01, 2026 - 17:31 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

AnalysisAI

Heap buffer overflow in GPAC MP4Box v2.4's MPEG-2 TS demuxer crashes the application when processing a specially crafted MP4 file, resulting in a Denial of Service. The vulnerable function m2tsdmx_send_packet in filters/dmx_m2ts.c lacked a minimum packet-length guard before performing heap operations on M2TS packet data. No active exploitation has been identified (not in CISA KEV), and impact is limited to availability - no code execution or data exposure is achievable via this path.

Technical ContextAI

CWE-122 (Heap-based Buffer Overflow) describes the root cause: the m2tsdmx_send_packet function in GPAC's MPEG-2 Transport Stream demuxer (src/filters/dmx_m2ts.c) processed incoming PES packet data without first validating that the packet length exceeded a safe minimum threshold. The upstream commit 9bd6a72c9efc0513dfd33b87498afc7658dabd26 reveals the fix is a single bounds check - if (len<=2) return; - confirming that packets with two or fewer bytes of payload were passed directly into heap operations without validation. GPAC MP4Box is an open-source multimedia framework widely used for MP4 file manipulation, packaging, and MPEG-2 TS demuxing. No CPE strings were provided in the source data; the affected product is GPAC v2.4 as stated in the CVE description.

RemediationAI

The upstream fix is available as GitHub commit 9bd6a72c9efc0513dfd33b87498afc7658dabd26, which adds the bounds check if (len<=2) return; to m2tsdmx_send_packet in src/filters/dmx_m2ts.c. This is an upstream fix available via PR or commit; a released patched version number has not been independently confirmed from the available source data - users should verify whether a tagged GPAC release incorporating this commit has been published at https://github.com/gpac/gpac. As a compensating control where patching is not immediately possible, restrict MP4Box usage to files from trusted sources only, and avoid automated ingestion pipelines that process externally supplied MP4 files containing MPEG-2 TS data. If GPAC is deployed in a containerized or sandboxed environment, an application crash from this vulnerability will not cascade to the host - this containment reduces the effective DoS impact to the isolated process.

Share

CVE-2025-55664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy