Description
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Published: 2026-06-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in GPAC MP4Box’s gf_isom_add_track_kind() function when parsing a specially crafted MP4 file. The flaw triggers a crash that terminates the application, resulting in a denial of service. The vulnerability is classified as a memory safety bug (CWE‑476) and does not provide avenues for code execution, data exposure, or privilege escalation. With a CVSS score of 6.5, the impact is considered moderate and limited to the affected application’s availability.

Affected Systems

The issue affects GPAC MP4Box version 2.4, the media processing tool that handles MP4 files. No other releases or flavors of MP4Box have been reported to be impacted.

Risk and Exploitability

The vulnerability can be triggered by providing a malformed MP4 file to the MP4Box executable. The likely attack vector is local or any channel that supplies the file, such as a shared folder, email attachment, or media pipeline ingest. Because the Exploit Prediction Scoring System (EPSS) score is not available, the probability of exploitation remains undefined. The flaw is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting that large‑scale exploitation has not been observed. However, the CVSS score of 6.5 indicates a moderate risk to availability for users of the vulnerable version.

Generated by OpenCVE AI on June 24, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GPAC MP4Box to a patched version released by the GPAC developers.
  • If an upgrade is not immediately possible, ensure that MP4Box processes only validated MP4 files or files from trusted sources.
  • Run MP4Box in a sandboxed or isolated environment so that a crash does not affect other system components.
  • Configure automated monitoring or a watchdog to restart MP4Box if it terminates unexpectedly.

Generated by OpenCVE AI on June 24, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Causes DoS

Wed, 24 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Causes Denial of Service

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Causes Denial of Service

Tue, 23 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title NULL Pointer Dereference in GPAC MP4Box Causing Denial of Service

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title NULL Pointer Dereference in GPAC MP4Box Causing Denial of Service

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T18:36:12.718Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55639

cve-icon Vulnrichment

Updated: 2026-06-26T18:36:12.718Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:45:03Z

Weaknesses