Impact
A NULL pointer dereference occurs in the gf_media_map_esd function of GPAC MP4Box, enabling an attacker to trigger a denial of service by supplying a specially crafted MP4 file. This flaw is a classic pointer misuse (CWE‑476) that leads to an uncontrolled crash without compromising confidentiality or integrity, but it can stop media processing and potentially exhaust system resources. The vulnerability is limited to the media parsing component and does not allow arbitrary code execution.
Affected Systems
The vulnerability affects GPAC MP4Box, specifically version 2.4 as mentioned in the advisory. The flaw is present in the media_tools/isom_tools.c portion of the code base, so any deployment of this version or potential earlier releases that contain the same code path is at risk.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA KEV, underscoring its limited threat in the wild. Nevertheless, in environments where media automation or processing is critical, the impact of a DoS could be significant. The likely attack vector would involve an attacker providing a malicious MP4 file, possibly through an upload interface, email attachment, or media stream, leading to a crash during parsing.
OpenCVE Enrichment