Description
A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function of GPAC MP4Box before version 26.02.0. An attacker supplies a specially crafted input file that triggers the dereference, resulting in an application crash and loss of availability. No confidentiality or integrity breach is indicated; the impact is restricted to availability.

Affected Systems

All installations of GPAC Project MP4Box that are earlier than version 26.02.0. Users of this project, regardless of deployment environment, are potentially affected.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA KEV, so exploitation data is limited. Since the flaw requires a crafted file to be processed by MP4Box, the attack vector is inferred to be local or remote depending on whether MP4Box handles externally supplied input. The CVSS score is not provided, but the risk to availability can be considered moderate, with exploitation probability uncertain but possible if the application runs with untrusted input.

Generated by OpenCVE AI on June 3, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GPAC MP4Box version 26.02.0 or later, which includes the fix for gf_filter_pid_resolve_file_template_ex.
  • If upgrading is not immediately possible, validate and sanitize any input files before passing them to MP4Box, ensuring that filenames contain no unexpected characters that could lead to dereference.
  • Monitor the application for crashes or repeated failures, and isolate or restart affected processes to mitigate the DoS effect.

Generated by OpenCVE AI on June 3, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title NULL pointer dereference in GPAC MP4Box causes denial of service with crafted file
Weaknesses CWE-476

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T13:43:57.989Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60477

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:31.100

Modified: 2026-06-03T14:16:31.100

Link: CVE-2025-60477

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:30:35Z

Weaknesses