Description
A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow exists in the Opus audio stream parser component of GPAC MP4Box version 2.4. When parsing a maliciously constructed MP4 file, the overflow corrupts heap memory and causes the application to crash, interrupting service availability. The weakness is identified as CWE‑122 and does not enable code execution or privilege escalation.

Affected Systems

The vulnerability affects GPAC MP4Box v2.4. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of this analysis. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is inferred to be file‑based: an attacker must supply a crafted MP4 file to the parser, which is typically a local or controlled‑input scenario. If an attacker can deliver such a file to a system running the vulnerable tool, they can trigger a denial of service by causing the process to crash.

Generated by OpenCVE AI on June 16, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to the latest stable release that contains the buffer‑overflow fix
  • Restrict the execution of the MP4Box parser or the processing of untrusted MP4 files via sandboxing or access controls
  • Set up monitoring for repeated crashes and anomalous behavior in the application logs

Generated by OpenCVE AI on June 16, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPAC MP4Box’s Opus Audio Stream Parser Leads to Denial of Service

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T20:20:44.203Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55661

cve-icon Vulnrichment

Updated: 2026-06-15T19:22:10.548Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-15T20:16:24.360

Modified: 2026-06-16T14:56:30.837

Link: CVE-2025-55661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:00:12Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow