Impact
A null pointer dereference occurs in GPAC MP4Box’s gf_isom_add_track_kind() function when parsing a specially crafted MP4 file. The flaw triggers a crash that terminates the application, resulting in a denial of service. The vulnerability is classified as a memory safety bug (CWE‑476) and does not provide avenues for code execution, data exposure, or privilege escalation. With a CVSS score of 6.5, the impact is considered moderate and limited to the affected application’s availability.
Affected Systems
The issue affects GPAC MP4Box version 2.4, the media processing tool that handles MP4 files. No other releases or flavors of MP4Box have been reported to be impacted.
Risk and Exploitability
The vulnerability can be triggered by providing a malformed MP4 file to the MP4Box executable. The likely attack vector is local or any channel that supplies the file, such as a shared folder, email attachment, or media pipeline ingest. Because the Exploit Prediction Scoring System (EPSS) score is not available, the probability of exploitation remains undefined. The flaw is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting that large‑scale exploitation has not been observed. However, the CVSS score of 6.5 indicates a moderate risk to availability for users of the vulnerable version.
OpenCVE Enrichment