Description
A heap buffer overflow in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a heap buffer overflow located in the gf_isom_vp_config_new function within the isomedia/avc_ext.c component of GPAC MP4Box. Exploiting the flaw requires presenting a specially crafted MP4 file that triggers the overflow, resulting in a crash of the application and a denial of service. The weakness is classified as CWE-122, indicating that it is a heap-based buffer overflow and poses a loss of availability rather than compromising confidentiality or integrity.

Affected Systems

The issue affects the GPAC MP4Box media toolkit, specifically version 2.4 and potentially earlier releases that include the unpatched isomedia/avc_ext.c code. Users who rely on this version to decode or process MP4 files are at risk when handling untrusted media.

Risk and Exploitability

The CVSS score of 5.5 reflects a moderate risk stemming from a local or remote attack that requires the victim to open or otherwise process a malicious MP4 file. The EPSS score of less than 1% suggests that active exploitation is unlikely at this time, and the vulnerability is not listed in CISA's KEV catalog. However, an attacker could still leverage the flaw to repeatedly crash MP4Box on affected machines, potentially disrupting services or user experience. Because the flaw does not grant code execution or privilege escalation, the threat surface remains confined to denial of service.

Generated by OpenCVE AI on June 17, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to a version newer than 2.4 that includes the buffer overflow fix
  • Refrain from opening or processing MP4 files from untrusted or unknown sources until a patch is available
  • If upgrading is not immediately feasible, monitor the application for abnormal crashes and consider temporarily disabling untrusted media handling or using sandboxed execution environments

Generated by OpenCVE AI on June 17, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPAC MP4Box Leading to Denial of Service

Tue, 16 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPAC MP4Box Leading to Denial of Service

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T20:18:14.759Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55652

cve-icon Vulnrichment

Updated: 2026-06-15T19:22:06.448Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-15T20:16:24.137

Modified: 2026-06-16T14:56:30.837

Link: CVE-2025-55652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:36:13Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow