Description
A heap buffer overflow in the gf_opus_parse_packet_header function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap buffer overflow in the gf_opus_parse_packet_header function of GPAC MP4Box v2.4, caused by insufficient bounds checking when parsing the Opus packet header. An attacker who supplies a carefully crafted MP4 file can trigger the overflow and crash the program, resulting in a denial of service. This flaw is classified as CWE-122.

Affected Systems

GPAC MP4Box from the GPAC project is affected. The description references version 2.4; users should verify whether they are running that or earlier releases of GPAC MP4Box and whether they have applied any subsequent fixes.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred from the description: an attacker would need to get GPAC MP4Box to parse a malicious MP4 file, so the attack is local or requires the file to be processed on a system running the software. No remote code execution is possible; the impact is limited to service disruption.

Generated by OpenCVE AI on June 18, 2026 at 01:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch that fixes the heap buffer overflow in gf_opus_parse_packet_header.
  • If no patch is available, restrict the processing of untrusted MP4 files until a fix is released.
  • Configure or disable Opus packet header parsing when it is not needed to reduce the attack surface.
  • Monitor system resources for sudden spikes or crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 01:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPAC MP4Box's Opus Packet Header Parsing Leads to Denial of Service

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPAC MP4Box's Opus Packet Header Parsing Leads to Denial of Service

Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac gpac
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac
Gpac gpac

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow in the gf_opus_parse_packet_header function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T20:17:41.018Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55648

cve-icon Vulnrichment

Updated: 2026-06-15T19:22:00.046Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T20:16:23.817

Modified: 2026-06-16T17:39:28.407

Link: CVE-2025-55648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:45:15Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow