Skip to main content

GPAC MP4Box CVE-2025-60483

| EUVD-2025-210004 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-01 cve@mitre.org GHSA-grwg-j658-3fmh
Null Pointer Dereference Denial Of Service
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 17:32 vuln.today
Analysis Generated
Jun 01, 2026 - 17:32 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

AnalysisAI

NULL pointer dereference in MP4Box's AC4 audio parser crashes the process when parsing a maliciously crafted AC4 file, enabling a local Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0, with the root cause in gf_ac4_pres_b_4_back_channels_present() and related AC4 presentation parsing routines in av_parsers.c. A publicly available proof-of-concept exists, though no public exploit confirmed active exploitation is in CISA KEV at time of analysis.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its primary CLI tool for packaging and inspecting MP4/ISOBMFF content. The vulnerability resides in /media_tools/av_parsers.c within the AC4 bitstream parser - specifically in gf_ac4_pres_b_4_back_channels_present() and the related gf_ac4_pres_top_channel_pairs() function. CWE-476 (NULL Pointer Dereference) indicates the root cause: when iterating over substream groups in an AC4 presentation structure, the code dereferenced a group pointer without first verifying it was non-NULL. A crafted AC4 file can populate the presentation's group list with NULL entries, triggering the dereference. The commit diff confirms multiple co-located fixes: NULL guard additions (if (!group) continue;) in both AC4 presentation functions, a bounds check on bit-read operations in gf_ac4_oamd_common_data, and additional NULL guards in odf/descriptors.c. The affected CPE context is GPAC prior to version 26.02.0.

RemediationAI

The upstream fix is available as a merged commit at https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695, which adds NULL pointer guards across multiple AC4 parsing functions. Upgrade to GPAC version 26.02.0 or later, which incorporates these guards. The exact patched release version is inferred from the CVE description ('before 26.02.0') and has not been independently confirmed against a tagged release artifact - verify the installed binary version after upgrading. If an immediate upgrade is not possible, the primary compensating control is to restrict MP4Box from processing untrusted or externally sourced media files, particularly those containing AC4 audio streams; this can be enforced via pipeline controls that filter or pre-validate input files before passing them to GPAC. Disabling automated media ingestion workflows that accept arbitrary AC4 content from untrusted sources removes the primary attack path without side effects on pipelines that handle only trusted content.

Share

CVE-2025-60483 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy