Description
A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a segmentation fault triggered within the Track_SetStreamDescriptor function of GPAC MP4Box version 2.4. A crafted MP4 file can cause a null pointer dereference, classified as CWE‑476, which leads to an application crash and a denial of service. This impact results in the loss of availability of the MP4Box utility for the affected process or system.

Affected Systems

GPAC MP4Box, version 2.4. The product is the only one explicitly mentioned as affected; no other vendors or products are listed.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% shows a very low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or remote delivery of a malicious MP4 file to the MP4Box executable, potentially through user-controlled input or an exposed service that processes MP4 files. Given the nature of the defect, an attacker who can supply such files can repeatedly force the application to crash, exhausting system resources.

Generated by OpenCVE AI on June 18, 2026 at 01:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GPAC MP4Box to the latest version that includes the fix for the null pointer dereference in the Track_SetStreamDescriptor function.
  • If an update is unavailable, run MP4Box in a restricted or sandboxed environment to limit the impact of a crash on critical systems.
  • Record and monitor crash logs to detect repeated failures caused by malicious MP4 inputs, and investigate any suspicious activity.

Generated by OpenCVE AI on June 18, 2026 at 01:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box 2.4 Null Pointer Dereference Leading to DoS

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box 2.4 Null Pointer Dereference Leading to DoS

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T20:21:57.369Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55663

cve-icon Vulnrichment

Updated: 2026-06-15T19:22:13.621Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-15T20:16:24.477

Modified: 2026-06-16T14:56:30.837

Link: CVE-2025-55663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:36:11Z

Weaknesses