Skip to main content

GPAC MP4Box CVE-2025-60485

| EUVD-2025-210005 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-01 cve@mitre.org GHSA-r233-92jc-hrx3
Null Pointer Dereference Denial Of Service
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 01, 2026 - 17:32 vuln.today
Analysis Generated
Jun 01, 2026 - 17:32 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 15:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 15:16 nvd
MEDIUM 5.5

DescriptionCVE.org

A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

AnalysisAI

Segmentation violation in GPAC MP4Box before version 26.02.0 crashes the application when processing crafted MP4 files, enabling denial of service against any user or pipeline invoking the tool on attacker-supplied input. The root cause is a null pointer dereference (CWE-476) in gf_isom_apple_set_tag_ex within isom_write.c, where custom iTunes-style tag pointers are dereferenced without prior null validation. A publicly available proof-of-concept exploit exists, though no public exploit identified at time of analysis correlates to confirmed active exploitation - the local attack vector (AV:L/UI:R) limits exposure primarily to media processing workflows that ingest untrusted MP4 files.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its command-line ISO Base Media File Format (ISOBMFF) processing tool. The vulnerable function gf_isom_apple_set_tag_ex in src/isomedia/isom_write.c handles Apple iTunes-style custom metadata tags embedded in MP4 containers. CWE-476 (NULL Pointer Dereference) is the root cause: at line 6306 the code evaluated in_cust_mean[0] and in_cust_name[0] without first confirming the pointers themselves were non-NULL. When a crafted MP4 file supplies tag data that results in these pointers being NULL at call time, the dereference produces a segmentation fault and process crash. The upstream commit 4860a1a6f128ccc9ae37b4b738d22029f9672457 corrects this by changing the guards to if (in_cust_mean && in_cust_mean[0]) and if (in_cust_name && in_cust_name[0]). The same commit also fixes a related null dereference on pointer s in dasher.c and resolves a memory leak for dyname in isoffin_load.c, suggesting a broader null-safety audit pass was performed.

RemediationAI

The primary remediation is to upgrade GPAC / MP4Box to version 26.02.0 or later, which incorporates the null pointer guards introduced in upstream commit 4860a1a6f128ccc9ae37b4b738d22029f9672457. The fix version '26.02.0' is stated in the CVE description but a formal vendor release advisory was not identified in the available references - confirm the release package at the official GPAC GitHub repository (https://github.com/gpac/gpac). If immediate patching is not feasible for organizations that batch-process untrusted MP4 files, the most actionable compensating control is to run MP4Box within an isolated sandbox or container with enforced resource limits and crash isolation, preventing a process crash from affecting upstream services. Restricting MP4Box execution to only internally generated or previously validated MP4 files eliminates the untrusted-input attack surface entirely without application changes. Additional context on the vulnerability is available at https://github.com/gpac/gpac/issues/3323.

Share

CVE-2025-60485 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy