Skip to main content

GPAC MP4Box CVE-2025-60495

| EUVD-2025-210007 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-01 cve@mitre.org GHSA-99fm-gj3q-q3g4
Null Pointer Dereference Denial Of Service
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 17:31 vuln.today
Analysis Generated
Jun 01, 2026 - 17:31 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.

AnalysisAI

Null pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when parsing crafted MP4 files, resulting in a Denial of Service. The vulnerable function gf_media_get_color_info in src/media_tools/isom_tools.c fails to validate pointers to AVC (avcc) and HEVC (hvcc) configuration boxes before dereferencing them, causing a segmentation fault when a malformed file omits these structures. No public exploit is confirmed as actively exploited (not in CISA KEV), but publicly available exploit code exists and the attack requires only that a user open a crafted file.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its command-line ISO Base Media File Format (ISOBMFF/MP4) packaging tool. The vulnerability resides in gf_media_get_color_info (src/media_tools/isom_tools.c), a function that retrieves color space metadata from track sample descriptions. For AVC and HEVC tracks, the function attempts to read AVCDecoderConfigurationRecord (avcc) and HEVCDecoderConfigurationRecord (hvcc) box pointers without first verifying they are non-NULL. CWE-476 (NULL Pointer Dereference) is the root cause: when a crafted MP4 supplies a track whose sample description lacks these configuration boxes, the pointer is NULL and the subsequent dereference triggers a segmentation violation. The upstream fix (commit 9beed3c0a2f38505c745e5376234e7ed66e8e0b1) inserts two guard checks - if (!avcc) return GF_NOT_FOUND and if (!hvcc) return GF_NOT_FOUND - immediately before each dereference, halting processing instead of crashing.

RemediationAI

Upgrade GPAC MP4Box to version 26.02.0 or later, which incorporates the fix from commit 9beed3c0a2f38505c745e5376234e7ed66e8e0b1 (https://github.com/gpac/gpac/commit/9beed3c0a2f38505c745e5376234e7ed66e8e0b1). Note: the patched release version 26.02.0 is derived from the CVE description boundary; independently verify the exact package version tag in the GPAC release history before deploying. If an immediate upgrade is not possible, the primary compensating control is to restrict which files MP4Box processes: configure pipelines to accept MP4 files only from trusted, validated sources and reject or sandbox user-supplied media before processing. This does not eliminate the vulnerability but removes the attacker's ability to deliver a crafted file. There is no known in-application configuration toggle to disable the vulnerable code path, as gf_media_get_color_info is part of core track inspection logic.

Share

CVE-2025-60495 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy