Description
A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is a null pointer dereference that occurs in the gf_odf_vvc_cfg_write_bs routine while parsing VVC descriptors in an MP4 file. When a specially crafted MP4 file is processed, the program crashes, resulting in a denial of service for the application or host. The impact is limited to the affected process, though repeated failures can lead to broader availability issues for services that rely on the tool.

Affected Systems

The vulnerability is present in GPAC MP4Box version 2.4. No other vendors or product versions were identified. System administrators should check whether they run this specific version and, if so, consider the risk.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is file‑based; an attacker must supply a malicious MP4 file that is parsed by MP4Box. No remote exploitation guarantees are stated, so the likely threat is local or in scenarios where untrusted media files are accepted from external sources. The EPSS score is unavailable, and the issue is not listed in CISA KEV, indicating that the vulnerability is not yet widely exploited. The CVSS score is 7.5, indicating high severity for causing a denial of service by crashing the application.

Generated by OpenCVE AI on June 9, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest GPAC MP4Box release that contains a fix for the null pointer dereference.
  • If an update cannot be applied immediately, isolate the parsing of untrusted MP4 files in a sandboxed or low‑privilege process to prevent system‑wide crashes.
  • Configure your environment to reject or quarantine any suspicious media files before they reach MP4Box, and monitor for segmentation‑fault logs.

Generated by OpenCVE AI on June 9, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 14 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Fri, 12 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Gpac gpac
CPEs cpe:2.3:a:gpac:gpac:2.4:*:*:*:*:*:*:*
Vendors & Products Gpac gpac

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Tue, 09 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Leading to DoS

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-13T23:25:30.491Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55657

cve-icon Vulnrichment

Updated: 2026-06-13T23:25:30.491Z

cve-icon NVD

Status : Modified

Published: 2026-06-09T19:17:31.410

Modified: 2026-06-14T00:16:19.440

Link: CVE-2025-55657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:22:34Z

Weaknesses