Skip to main content

GPAC MP4Box EUVD-2025-210003

| CVE-2025-60481 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-01 cve@mitre.org GHSA-8gx7-5wj7-64gp
Null Pointer Dereference Denial Of Service
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 17:32 vuln.today
Analysis Generated
Jun 01, 2026 - 17:32 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

AnalysisAI

NULL pointer dereference in GPAC MP4Box's AC4 audio DSI parser crashes the application when processing a crafted AC4 file, resulting in denial of service. All GPAC MP4Box versions before 26.02.0 are affected; the CVSS vector (AV:L/UI:R) confirms exploitation requires a victim to locally open a malicious file. A publicly available proof-of-concept exploit exists at a referenced GitHub repository, though no public exploit identified at time of analysis has been confirmed as actively exploited in the wild (not listed in CISA KEV).

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its command-line tool for packaging and inspecting ISO Base Media File Format (ISOBMFF/MP4) containers. The vulnerability resides in the AC4 audio codec's Decoder Specific Information (DSI) parsing logic, specifically in gf_odf_ac4_cfg_dsi_v1 within src/odf/descriptors.c and related AC4 parsing routines in src/media_tools/av_parsers.c. CWE-476 (NULL Pointer Dereference) is the root cause: the code dereferenced substream group pointers (g) and other internal AC4 structures without first validating they were non-NULL. The commit diff confirms the fix involved adding explicit NULL guards (if (!g) return GF_BAD_PARAM;, if (g) gf_odf_ac4_cfg_presentation_v1_dsi(...)) as well as array-bounds checks for AC4 sampling frequency table indices and frame-rate index tables to prevent out-of-bounds access that could also produce NULL or invalid state. The affected parsing path is exercised whenever MP4Box processes a file advertising AC4 audio content with crafted DSI metadata.

RemediationAI

Upgrade GPAC MP4Box to version 26.02.0 or later, which incorporates the fix from upstream commit e02d1fd24cdc26acb1b236ab38b3832cffcae21b (https://github.com/gpac/gpac/commit/e02d1fd24cdc26acb1b236ab38b3832cffcae21b). The patched version is confirmed by the CVE description ('before 26.02.0'). If an immediate upgrade is not feasible, the primary compensating control is to avoid processing untrusted or externally supplied AC4 audio files with MP4Box until the patch is applied; this eliminates the attack surface entirely since exploitation requires processing a crafted file. For automated media ingestion pipelines, restrict the input file types accepted and pre-validate files against a known-good schema or container validator before passing them to MP4Box. There are no known vendor-documented workarounds that allow continued AC4 processing without exposure to this flaw.

Share

EUVD-2025-210003 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy