Impact
The vulnerability is a segmentation fault triggered within the Track_SetStreamDescriptor function of GPAC MP4Box version 2.4. A crafted MP4 file can cause a null pointer dereference, classified as CWE‑476, which leads to an application crash and a denial of service. This impact results in the loss of availability of the MP4Box utility for the affected process or system.
Affected Systems
GPAC MP4Box, version 2.4. The product is the only one explicitly mentioned as affected; no other vendors or products are listed.
Risk and Exploitability
The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% shows a very low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or remote delivery of a malicious MP4 file to the MP4Box executable, potentially through user-controlled input or an exposed service that processes MP4 files. Given the nature of the defect, an attacker who can supply such files can repeatedly force the application to crash, exhausting system resources.
OpenCVE Enrichment