Description
A heap buffer overflow in the gf_cenc_set_pssh function (isomedia/drm_sample.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow occurs in the gf_cenc_set_pssh function (isomedia/drm_sample.c) of GPAC MP4Box version 2.4. The flaw can be triggered by supplying a specially crafted MP4 file. When the malformed file is processed, the overflow can corrupt heap memory, causing the application to crash and leading to a denial of service. This vulnerability is classified as a heap-based buffer overflow (CWE‑122).

Affected Systems

GPAC MP4Box version 2.4, identified by the CPE cpe:2.3:a:gpac:gpac. No other affected vendors or products are listed.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, indicating moderate severity, and an EPSS score of less than 1%, suggesting a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is local file ingestion, where an attacker delivers a malicious MP4 file that the system or user processes. Exploitation would result only in service interruption, with no compromise of confidentiality or integrity.

Generated by OpenCVE AI on June 16, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to a patched version that resolves the heap overflow
  • Avoid opening or processing untrusted MP4 files until a patch is applied
  • Monitor GPAC MP4Box instances for crashes or abnormal termination and isolate affected systems

Generated by OpenCVE AI on June 16, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPAC MP4Box Causing DoS

Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac gpac
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac gpac

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow in the gf_cenc_set_pssh function (isomedia/drm_sample.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T20:14:06.057Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55645

cve-icon Vulnrichment

Updated: 2026-06-15T19:21:56.004Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T20:16:23.600

Modified: 2026-06-16T17:38:05.953

Link: CVE-2025-55645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow