CVE-2025-55658 - Vulnerability Details

- Floating Point Exception in GPAC MP4Box Leading to Denial of Service

Description

GPAC MP4Box v2.4 was discovered to contain a floating point exception in the gf_opus_parse_packet_header function (media_tools/av_parsers.c). bThis vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Published: 2026-06-09

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

GPAC MP4Box v2.4 contains a floating point exception in the gf_opus_parse_packet_header function of the media_tools/av_parsers.c component. When a crafted MP4 file with an Opus packet header is parsed, the exception causes the application to terminate, leading to a denial of service. The flaw does not provide a code execution or data disclosure path, but it can break media processing pipelines if the tool is critical to operations. The weakness is classified under CWE‑1077, CWE‑749 and CWE‑754.

Affected Systems

GPAC MP4Box version 2.4 is affected. The flaw resides in the media_tools/av_parsers.c module that parses Opus packet headers within MP4 containers. No other vendors or product versions are listed as impacted. Users that rely on GPAC MP4Box for MP4 manipulation or as part of media processing workloads are at risk.

Risk and Exploitability

Exploit requires a crafted MP4 file with a malicious Opus packet header. Based on the description, it is inferred that the attacker could deliver the file locally to a user running MP4Box or send it through a service that automatically processes incoming MP4 files. EPSS data is not available, and the vulnerability is not listed in CISA KEV, indicating no confirmed exploitation. The CVSS score of 6.5 indicates medium severity for availability. Until an updated release or mitigation is applied, the risk remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest GPAC MP4Box release when it is made available
Limit execution of MP4Box to trusted users and disable processing of untrusted MP4 files if possible
Configure the environment to quarantine or sandbox MP4Box to contain crashes and prevent service interruption

Generated by OpenCVE AI on June 9, 2026 at 23:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://infosec.exchange/@sigdevel/116710224797830572

History

Tue, 09 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Tue, 09 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1077
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Title		Floating Point Exception in GPAC MP4Box Leading to Denial of Service
Weaknesses		CWE-749 CWE-754

Tue, 09 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		GPAC MP4Box v2.4 was discovered to contain a floating point exception in the gf_opus_parse_packet_header function (media_tools/av_parsers.c). bThis vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
References		https://infosec.exchange/@sigdevel/116710224797830572

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-09T00:00:00.000Z

Updated: 2026-06-09T21:00:12.229Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55658

Vulnrichment

Updated: 2026-06-09T19:16:53.833Z

NVD

Status : Received

Published: 2026-06-09T19:17:31.527

Modified: 2026-06-09T22:16:20.857

Link: CVE-2025-55658

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T21:00:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object