Description
A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-09
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference in the gf_isom_get_user_data_count function of GPAC MP4Box v2.4 can be triggered by a specially crafted MP4 file. The flaw causes the parser to dereference an invalid pointer, leading to a crash of the application and an interruption of service. It does not provide code execution or data exfiltration but results in loss of availability for the affected application.

Affected Systems

The only affected product identified is GPAC MP4Box version 2.4. No other vendors or products are listed in the CNA data, so the scope is limited to this particular release and any systems that use it to process MP4 media.

Risk and Exploitability

The attack requires a malicious MP4 file that can be supplied by any user that can provide input to MP4Box, potentially from local or remote sources if the application accepts untrusted files. EPSS score is <1% and the flaw is not listed in CISA KEV, indicating no widespread exploitation is known. The CVSS score is 5.5, reflecting medium severity. Nonetheless, systems that routinely process MP4 files, especially in unattended or public environments, face moderate to high risk of a denial of service if a crafted file is encountered.

Generated by OpenCVE AI on June 10, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an official update from GPAC that fixes the issue and upgrade if available.
  • If no update is available, restrict MP4 input to trusted sources and validate the file format before parsing.
  • If no update is available, run MP4Box in a sandboxed environment to contain crashes.

Generated by OpenCVE AI on June 10, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac gpac
CPEs cpe:2.3:a:gpac:gpac:2.4:*:*:*:*:*:*:*
Vendors & Products Gpac gpac

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box Null Pointer Dereference Leading to Denial of Service

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Tue, 09 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box Null Pointer Dereference Leading to Denial of Service
Weaknesses CWE-476

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T13:49:40.977Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55651

cve-icon Vulnrichment

Updated: 2026-06-10T13:49:30.826Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T19:17:31.290

Modified: 2026-06-12T16:39:59.680

Link: CVE-2025-55651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses