Description
A NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the TrackWriter handling component of GPAC MP4Box version 2.4. A NULL pointer dereference occurs when parsing certain MP4 files, which has been documented in filters/mux_isom.c. The flaw can be triggered by an attacker who supplies a specially crafted MP4 file to the application, leading to an application crash that results in a denial of service. This issue does not provide an attacker with code execution or data exfiltration capabilities; rather, it disrupts the availability of the service provided by MP4Box.

Affected Systems

GPAC MP4Box version 2.4 is affected. Any deployment using this specific version should be considered at risk. No other versions have been reported to be vulnerable, and the CPE identifies the application as gpac:gpac.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The flaw is not listed in the CISA KEV catalog, further indicating it has not yet been widely exploited. The attack vector is inferred to be local or contextual, requiring the delivery of a malicious MP4 file to the MP4Box tool; remote exploitation would be possible only if the tool is exposed through a service that processes external files. Successful exploitation results solely in a crash that interrupts service availability, with no compromise of confidentiality or integrity.

Generated by OpenCVE AI on June 16, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to the latest released version that includes the null pointer check.
  • Avoid processing untrusted or unknown MP4 files with the affected version, and validate or sanitize input files before they reach MP4Box.
  • Run MP4Box in a sandboxed or limited resource environment to contain any crash and prevent broader system impact.

Generated by OpenCVE AI on June 16, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box v2.4 NULL Pointer Dereference Leading to Denial of Service

Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac gpac
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac gpac

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T20:15:15.147Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55643

cve-icon Vulnrichment

Updated: 2026-06-15T19:21:51.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T20:16:23.380

Modified: 2026-06-16T17:37:22.437

Link: CVE-2025-55643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses