Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Local file processing tool with no network surface; no privileges needed to invoke MP4Box; user must trigger processing; crash produces availability impact only with no C/I effect.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
AnalysisAI
NULL pointer dereference in GPAC MP4Box's filter pipeline traversal function crashes the application when processing a specially crafted media file. Affected versions prior to 26.02.0 fail to validate the pidi->pid pointer before dereferencing it inside gf_filter_in_parent_chain (filter_pid.c:2176), enabling a local attacker to cause a Denial of Service by supplying a malicious input file. No public exploit identification as KEV, but a publicly available proof-of-concept exists on GitHub; EPSS of 0.17% (6th percentile) reflects low observed exploitation probability consistent with the local-only, user-interaction-required attack vector.
Technical ContextAI
GPAC is an open-source multimedia framework; MP4Box is its command-line ISO media file packager and manipulator widely used in media processing pipelines and research. The vulnerable function gf_filter_in_parent_chain traverses GPAC's internal filter graph to determine parent-chain relationships. The root cause (CWE-476: NULL Pointer Dereference) is a missing NULL guard on pidi->pid before it is dereferenced to access pidi->pid->filter. A crafted input file can drive the filter graph into a state where pidi->pid is NULL at recursion time, causing an immediate crash. The one-line upstream fix (commit b8d80b44718de10b101e1d7fc17c84d69feb092e) adds the guard if (pidi->pid && gf_filter_in_parent_chain(...)), confirming the flaw is purely a missing defensive check rather than a logic or memory-corruption issue.
RemediationAI
Upgrade to GPAC version 26.02.0 or any version containing commit b8d80b44718de10b101e1d7fc17c84d69feb092e (github.com/gpac/gpac/commit/b8d80b44718de10b101e1d7fc17c84d69feb092e). This is the confirmed upstream fix and the primary remediation. If upgrading immediately is not possible, restrict MP4Box usage to trusted, internally generated media files only - do not process untrusted or user-supplied files with a vulnerable version. For automated ingestion pipelines, quarantine and pre-validate media files before passing them to MP4Box; this reduces exposure but does not eliminate it, since the validation logic itself must be external. The trade-off of the workaround is operational disruption to any workflow relying on third-party media ingestion. The GitHub issue tracking this flaw is at github.com/gpac/gpac/issues/3285.
Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra
NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera
GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit
Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit
NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this
An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability
A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit
A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev
An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv
An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210334
GHSA-8hg9-39h6-3rjm