Description
A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs in the gf_media_import function of GPAC Project/MP4Box, specifically within /media_tools/av_parsers.c. The vulnerability, classified as a classic buffer overflow (CWE‑121), allows an attacker to supply crafted media input that overflows the buffer and aborts the process. The resulting denial of service means the affected application can no longer process media files, potentially disrupting services that rely on MP4Box for media handling.

Affected Systems

The flaw affects all releases of GPAC Project/MP4Box prior to version 26.02.0. No additional vendor or product information is listed in the CNA data.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity; the EPSS score is <1%, indicating a low but non‑zero exploitation probability; it is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote execution of MP4Box with a malicious media file, as the exploit requires supplying crafted input to the import function. While exploitation is theoretically possible, the lack of published exploits suggests that the risk is primarily that any compromised or unauthorized execution of MP4Box could be halted, rather than leading to privilege escalation or data exfiltration.

Generated by OpenCVE AI on June 25, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC Project/MP4Box to version 26.02.0 or later when available.
  • If an upgrade is not immediately feasible, place strict controls on who can run MP4Box and monitor processes for abnormal exits, or containerize the application to isolate potential impact.
  • As a temporary measure, validate media files against size and format specifications before passing them to MP4Box, or disable the gf_media_import path if not required by your workflow.

Generated by OpenCVE AI on June 25, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Buffer Overflow in GPAC MP4Box Import Causing Denial of Service

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Wed, 24 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-27T05:18:16.619Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60474

cve-icon Vulnrichment

Updated: 2026-06-27T05:18:16.619Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:00:12Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow