Description
A segmentation violaton in the gf_hevc_read_sps_bs_internal function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying crafted HEVC SPS data.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A segmentation violation occurs in the gf_hevc_read_sps_bs_internal function of GPAC MP4Box v2.4 when it processes a malformed HEVC Sequence Parameter Set. The flaw causes the MP4Box process to crash, resulting in a denial of service for any operation that depends on HEVC media parsing. The vulnerability is a segmentation fault that does not allow code execution or data exfiltration.

Affected Systems

Only GPAC MP4Box version 2.4 is affected according to the CNA data. No other versions or products have been identified as impacted. Systems that rely solely on older or newer builds of MP4Box are not vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high level of impact and difficulty. The flaw can be triggered by supplying a malicious media file or network stream containing crafted HEVC SPS data to the MP4Box parser. While the vulnerability does not provide a path to arbitrary code execution, an attacker can disrupt service for users or automated workflows that invoke MP4Box. The absence of a KEV listing suggests that widespread exploitation has not yet been observed, but the high availability impact warrants proactive mitigation.

Generated by OpenCVE AI on June 10, 2026 at 00:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to a version that contains the fix for the HEVC SPS parsing vulnerability.
  • If a newer version is not yet available, run MP4Box in a confined environment such as a container or strict sandbox to limit the impact of a crash.
  • Validate incoming HEVC streams and reject or quarantine media that contains suspiciously large or malformed SPS headers before passing them to MP4Box.
  • Monitor application logs for segmentation fault events related to MP4Box and investigate any recurrence.

Generated by OpenCVE AI on June 10, 2026 at 00:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box HEVC SPS Parsing Leading to Denial of Service

Tue, 09 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box HEVC Parsing Enables DoS
Weaknesses CWE-119

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box HEVC Parsing Enables DoS
Weaknesses CWE-119

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A segmentation violaton in the gf_hevc_read_sps_bs_internal function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying crafted HEVC SPS data.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T19:26:02.041Z

Reserved: 2025-06-16T00:00:00.000Z

Link: CVE-2025-52293

cve-icon Vulnrichment

Updated: 2026-06-09T19:25:56.907Z

cve-icon NVD

Status : Received

Published: 2026-06-09T19:17:31.177

Modified: 2026-06-09T20:16:30.667

Link: CVE-2025-52293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:00:12Z

Weaknesses