Skip to main content

GPAC MP4Box CVE-2025-70116

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 cve@mitre.org
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 17:28 vuln.today
CVSS changed
May 28, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
May 27, 2026 - 17:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).

AnalysisAI

NULL pointer dereference in GPAC MP4Box crashes the application when parsing specially crafted truncated MP4 files, resulting in a denial-of-service condition. The vulnerability triggers in the gf_media_map_esd function (media_tools/isom_tools.c, line ~1364) when an invalid or unknown stsd (Sample Table Sample Description) entry leaves codec, mime, or profile descriptor fields uninitialized - the function then calls strlen() on a NULL pointer, producing a segmentation fault (SEGV). A publicly available exploit code exists demonstrating the crash, though EPSS at 0.02% (6th percentile) signals negligible widespread exploitation probability and the vulnerability is not listed in CISA KEV.

Technical ContextAI

GPAC is an open-source multimedia framework widely used for MP4 container manipulation; MP4Box is its command-line tool for packaging, inspecting, and converting media files. The vulnerability resides in CWE-476 (NULL Pointer Dereference): within the ISO Base Media File Format parsing path, the stsd (Sample Table Sample Description) box describes how media samples are encoded. When a truncated or malformed MP4 file contains an unknown or invalid stsd entry, GPAC fails to populate codec/mime/profile descriptor strings, leaving them as NULL pointers. The gf_media_map_esd function subsequently passes these unvalidated pointers to strlen(), which dereferences NULL and triggers an AddressSanitizer-detected SEGV. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms the attack is network-deliverable via a crafted file, requires no privileges, but mandates that a user actively processes the file with MP4Box.

Affected ProductsAI

GPAC MP4Box is confirmed affected, with the vulnerability specifically located in media_tools/isom_tools.c around line 1364. The exact affected version range is not specified in the available data - no CPE strings or version boundaries were provided, and no vendor advisory with version constraints has been published. The issue is tracked at the upstream GitHub repository at https://github.com/gpac/gpac/issues/3345. Users should consult that issue for the latest version information as the fix status evolves.

RemediationAI

No vendor-released patch with a confirmed fix version has been identified at time of analysis. The issue is tracked upstream at https://github.com/gpac/gpac/issues/3345 - users should monitor this issue for patch availability and upgrade to the fixed release once published. As an immediate compensating control, operators should restrict MP4Box from processing untrusted or externally supplied MP4 files; this eliminates the attack surface since UI:R means the vulnerability cannot be triggered without user or pipeline action. In automated media processing environments, adding pre-validation to reject truncated or malformed MP4 files (e.g., checking file completeness before invoking MP4Box) is a practical workaround with minimal operational trade-off. Running MP4Box in a sandboxed or containerized environment limits the blast radius of a crash to an isolated process rather than a broader service.

Share

CVE-2025-70116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy