CVE-2025-55664 - Vulnerability Details

Description

A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

Published: 2026-06-01

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A heap buffer overflow occurs in the m2tsdmx_send_packet function of GPAC MP4Box when processing a crafted MP4 file. This vulnerability can cause the application to crash, resulting in a denial of service for users relying on that instance of MP4Box. The weakness is a classic heap‑based buffer overflow that allows an attacker to corrupt memory layout and trigger abnormal termination.

Affected Systems

The affected product is GPAC MP4Box version 2.4. No other vendors or product variants are listed as impacted. Users running this specific version of GPAC MP4Box should verify whether their installations match the vulnerable build.

Risk and Exploitability

The CVE has a CVSS score of 5.5, no EPSS value is available, and it is not listed in the CISA KEV catalog, indicating no publicly confirmed exploitation yet. The attack requires an attacker to supply a malicious MP4 file that the target system processes with MP4Box. This could be delivered via file sharing, web download, or an internal network. Because the vulnerability causes an application crash rather than privilege escalation, the impact is limited to disruption of service rather than compromise of data or system control. Nevertheless, the lack of public exploitation data does not reduce the urgency of mitigation, as a local or remote user could trigger the DoS by submitting a crafted file to a system that automatically processes MP4Box input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Gpac

Mp4box

90%

Version	Status	Scheme	Platform
`2.4`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GPAC MP4Box to a version newer than v2.4 that contains the fix for the heap buffer overflow in m2tsdmx_send_packet; the relevant commit is available at https://github.com/gpac/gpac/commit/9bd6a72c9efc0513dfd33b87498afc7658dabd26.
If an upgrade is not immediately possible, restrict the ability of untrusted users or systems to supply MP4 files to MP4Box or quarantine the MP4Box executable so that it runs with minimal privileges.
Implement monitoring for unexpected crashes or abnormal termination of MP4Box processes to detect potential exploitation attempts.

Generated by OpenCVE AI on June 1, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0016.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/06/01/10
https://github.com/gpac/gpac/commit/9bd6a72c9efc0513dfd33b87498afc7658dabd26
https://github.com/gpac/gpac/issues/3310
https://infosec.exchange/@sigdevel/116659245751279377

History

Tue, 02 Jun 2026 00:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/06/01/10

Mon, 01 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Title	Heap Buffer Overflow in GPAC MP4Box Enables DoS via Crafted MP4

Mon, 01 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Title		Heap Buffer Overflow in GPAC MP4Box Enables DoS via Crafted MP4
Weaknesses		CWE-122

Mon, 01 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gpac Gpac mp4box
Vendors & Products		Gpac Gpac mp4box

Mon, 01 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References		https://github.com/gpac/gpac/commit/9bd6a72c9efc0513dfd33b87498afc7658dabd26 https://github.com/gpac/gpac/issues/3310 https://infosec.exchange/@sigdevel/116659245751279377

Subscriptions

Gpac Mp4box

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-01T00:00:00.000Z

Updated: 2026-06-01T23:31:35.872Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55664

Vulnrichment

Updated: 2026-06-01T23:31:35.872Z

NVD

Status : Deferred

Published: 2026-06-01T15:16:28.297

Modified: 2026-06-02T00:16:32.130

Link: CVE-2025-55664

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T19:00:14Z

Weaknesses

CWE-122
Heap-based Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object