Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
AnalysisAI
Heap buffer overflow in GPAC MP4Box v2.4's MPEG-2 TS demuxer crashes the application when processing a specially crafted MP4 file, resulting in a Denial of Service. The vulnerable function m2tsdmx_send_packet in filters/dmx_m2ts.c lacked a minimum packet-length guard before performing heap operations on M2TS packet data. No active exploitation has been identified (not in CISA KEV), and impact is limited to availability - no code execution or data exposure is achievable via this path.
Technical ContextAI
CWE-122 (Heap-based Buffer Overflow) describes the root cause: the m2tsdmx_send_packet function in GPAC's MPEG-2 Transport Stream demuxer (src/filters/dmx_m2ts.c) processed incoming PES packet data without first validating that the packet length exceeded a safe minimum threshold. The upstream commit 9bd6a72c9efc0513dfd33b87498afc7658dabd26 reveals the fix is a single bounds check - if (len<=2) return; - confirming that packets with two or fewer bytes of payload were passed directly into heap operations without validation. GPAC MP4Box is an open-source multimedia framework widely used for MP4 file manipulation, packaging, and MPEG-2 TS demuxing. No CPE strings were provided in the source data; the affected product is GPAC v2.4 as stated in the CVE description.
RemediationAI
The upstream fix is available as GitHub commit 9bd6a72c9efc0513dfd33b87498afc7658dabd26, which adds the bounds check if (len<=2) return; to m2tsdmx_send_packet in src/filters/dmx_m2ts.c. This is an upstream fix available via PR or commit; a released patched version number has not been independently confirmed from the available source data - users should verify whether a tagged GPAC release incorporating this commit has been published at https://github.com/gpac/gpac. As a compensating control where patching is not immediately possible, restrict MP4Box usage to files from trusted sources only, and avoid automated ingestion pipelines that process externally supplied MP4 files containing MPEG-2 TS data. If GPAC is deployed in a containerized or sandboxed environment, an application crash from this vulnerability will not cascade to the host - this containment reduces the effective DoS impact to the isolated process.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210002
GHSA-gc4c-qf5m-fp82