Impact
The vulnerability resides in the mp4_mux_cenc_insert_pssh function of GPAC MP4Box version 2.4, where an out‑of‑memory error can be triggered by a specially crafted MP4 file. This flaw causes the application to crash, resulting in a denial of service. The weakness is an integer overflow (CWE‑190). No evidence of code execution or data exfiltration exists, so the primary risk is availability.
Affected Systems
GPAC MP4Box v2.4 is the only product explicitly listed as affected. No other vendors or minor revisions are documented. Users running this version or earlier releases that include the same code path are vulnerable. Versions newer than 2.4 are presumed untainted unless the change preserves the same implementation.
Risk and Exploitability
The CVSS score of the issue is 5.5, placing it in the medium severity class. The EPSS score is below 1 percent, indicating a low likelihood of exploitation in the wild. The vulnerability does not appear in the CISA KEV catalog. The likely attack vector is by providing a malicious MP4 file to the application, which could be attained remotely if the target system accepts MP4 inputs from untrusted sources. The exploit requires no special privileges beyond the ability to pass a file to the affected function.
OpenCVE Enrichment