Impact
A stack-based buffer overflow exists in the gf_opus_read_length function of GPAC MP4Box v2.4, allowing an attacker to supply a specially crafted MP4 file that overflows the stack and crashes the program. The result is a denial of service, interrupting media processing and potentially disrupting systems that rely on this tool for video handling. The flaw is a classic stack corruption scenario categorized as CWE‑121, which can be triggered by sending malformed input to the parser.
Affected Systems
GPAC MP4Box version 2.4 is the only version documented as vulnerable. The issue affects installations that use this edition of the media parser component; no other vendors or product lines are listed as impacted.
Risk and Exploitability
The CVSS score of 5.5 places the vulnerability in the medium risk range, while the EPSS score of less than 1% indicates a very low probability of exploitation observed in the wild. It is not listed in the CISA KEV catalog, suggesting no known active exploitation. Attackers would need to deliver a crafted MP4 file to the target system, potentially via a user opening the file or an automated trigger. The flaw does not provide code execution or privilege escalation, so impact is limited to service interruption rather than broader compromise.
OpenCVE Enrichment