Description
A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow occurs in the m2tsdmx_send_packet function of GPAC MP4Box when processing a crafted MP4 file. This vulnerability can cause the application to crash, resulting in a denial of service for users relying on that instance of MP4Box. The weakness is a classic heap‑based buffer overflow that allows an attacker to corrupt memory layout and trigger abnormal termination.

Affected Systems

The affected product is GPAC MP4Box version 2.4. No other vendors or product variants are listed as impacted. Users running this specific version of GPAC MP4Box should verify whether their installations match the vulnerable build.

Risk and Exploitability

The CVE does not provide a CVSS score or EPSS value, and it is not listed in the CISA KEV catalog, indicating no publicly confirmed exploitation yet. The attack requires an attacker to supply a malicious MP4 file that the target system processes with MP4Box. This could be delivered via file sharing, web download, or an internal network. Because the vulnerability causes an application crash rather than privilege escalation, the impact is limited to disruption of service rather than compromise of data or system control. Nevertheless, the lack of public exploitation data does not reduce the urgency of mitigation, as a local or remote user could trigger the DoS by submitting a crafted file to a system that automatically processes MP4Box input.

Generated by OpenCVE AI on June 1, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to a version newer than v2.4 that contains the fix for the heap buffer overflow in m2tsdmx_send_packet; the relevant commit is available at https://github.com/gpac/gpac/commit/9bd6a72c9efc0513dfd33b87498afc7658dabd26.
  • If an upgrade is not immediately possible, restrict the ability of untrusted users or systems to supply MP4 files to MP4Box or quarantine the MP4Box executable so that it runs with minimal privileges.
  • Implement monitoring for unexpected crashes or abnormal termination of MP4Box processes to detect potential exploitation attempts.

Generated by OpenCVE AI on June 1, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in GPAC MP4Box Enables DoS via Crafted MP4
Weaknesses CWE-122

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T16:38:20.165Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55664

cve-icon Vulnrichment

Updated: 2026-06-01T16:19:50.484Z

cve-icon NVD

Status : Received

Published: 2026-06-01T15:16:28.297

Modified: 2026-06-01T17:16:36.763

Link: CVE-2025-55664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:45:16Z

Weaknesses