A buffer overflow occurs in the gf_media_import function of GPAC Project/MP4Box, specifically within /media_tools/av_parsers.c. The vulnerability, classified as a classic out‑of‑bounds write (CWE‑120), allows an attacker to supply crafted media input that overflows the buffer and aborts the process. The resulting denial of service means the affected application can no longer process media files, potentially disrupting services that rely on MP4Box for media handling.

The flaw affects all releases of GPAC Project/MP4Box prior to version 26.02.0. No additional vendor or product information is listed in the CNA data.

No CVSS or EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote execution of MP4Box with a malicious media file, as the exploit requires supplying crafted input to the import function. While exploitation is theoretically possible, the lack of published exploits suggests that the risk is primarily that any compromised or unauthorized execution of MP4Box could be halted, rather than leading to privilege escalation or data exfiltration.