Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A crafted file must be processed by the MP4Box CLI/library, so AV:L and UI:R; impact is a single parser-process crash with no code execution, so C:N/I:N and only A:L.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
AnalysisAI
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.
Technical ContextAI
GPAC is a widely used open-source multimedia framework; MP4Box is its command-line muxing/packaging utility and libgpac is the underlying library embedded in media pipelines. The root cause (CWE-121, stack-based buffer overflow per NVD, though the patch shows an out-of-bounds read pattern) is in gf_media_import within src/media_tools/media_import.c. The code built a 4CC language code via GF_4CC(p->value.string[0], [1], [2], ' ') from a track's language property string without checking that the string held at least three bytes. A short or malformed language string caused reads past the buffer, corrupting state or crashing the parser. The official fix (commit bd7fd6be) adds a strlen(p->value.string) >= 3 guard before dereferencing those indices.
RemediationAI
Upgrade to GPAC 26.02.0 or later, which contains the fix commit bd7fd6be546e0cd9e599c6b262c338c5f2ecec5c that adds a length check (strlen >= 3) before reading the language metadata string; this is the primary remediation. Because the upstream fix is published as a GitHub commit (https://github.com/gpac/gpac/commit/bd7fd6be546e0cd9e599c6b262c338c5f2ecec5c) tied to issue https://github.com/gpac/gpac/issues/3287, distributors should rebuild against patched libgpac and downstream packagers should pull the release. Until patched, do not run MP4Box/libgpac on untrusted media files; in automated media-processing pipelines, sandbox the importer (run it under a restricted, resource-limited, isolated process such as a container/seccomp jail) so a crash cannot affect the broader service, and validate or restrict the source of input files. The trade-off of sandboxing is added operational complexity and possible throughput overhead, but it contains the DoS to a disposable worker rather than the host service.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted
Denial of service in lwext4 1.0.0 allows remote attackers to crash applications by supplying a malformed EXT4 filesystem
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomed
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210335
GHSA-cqcc-c9q9-x82m