Description
A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is a null pointer dereference that occurs in the gf_odf_vvc_cfg_write_bs routine while parsing VVC descriptors in an MP4 file. When a specially crafted MP4 file is processed, the program crashes, resulting in a denial of service for the application or host. The impact is limited to the affected process, though repeated failures can lead to broader availability issues for services that rely on the tool.

Affected Systems

The vulnerability is present in GPAC MP4Box version 2.4. No other vendors or product versions were identified. System administrators should check whether they run this specific version and, if so, consider the risk.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is file‑based; an attacker must supply a malicious MP4 file that is parsed by MP4Box. No remote exploitation guarantees are stated, so the likely threat is local or in scenarios where untrusted media files are accepted from external sources. The EPSS score is unavailable, and the issue is not listed in CISA KEV, indicating that the vulnerability is not yet widely exploited. The CVSS score is 7.5, indicating high severity for causing a denial of service by crashing the application.

Generated by OpenCVE AI on June 9, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest GPAC MP4Box release that contains a fix for the null pointer dereference.
  • If an update cannot be applied immediately, isolate the parsing of untrusted MP4 files in a sandboxed or low‑privilege process to prevent system‑wide crashes.
  • Configure your environment to reject or quarantine any suspicious media files before they reach MP4Box, and monitor for segmentation‑fault logs.

Generated by OpenCVE AI on June 9, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Leading to DoS

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T19:27:02.695Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55657

cve-icon Vulnrichment

Updated: 2026-06-09T19:26:57.626Z

cve-icon NVD

Status : Received

Published: 2026-06-09T19:17:31.410

Modified: 2026-06-09T20:16:30.887

Link: CVE-2025-55657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:15Z

Weaknesses