Description
A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference occurs in the gf_odf_ac4_cfg_dsi_v1 function within the GPAC Project MP4Box before 26.02.0. Based on the description, it is inferred that an attacker who can supply a specially crafted AC4 media file can cause the application to crash, resulting in a denial‑of‑service. The flaw does not provide code execution, data disclosure, or privileged access; it solely disrupts service availability.

Affected Systems

All implementations of GPAC Project MP4Box older than version 26.02.0 are affected. No separate vendor or product lines are listed; the issue resides entirely in the core MP4Box binary.

Risk and Exploitability

The CVSS score is 5.5, and the vulnerability is not in the CISA KEV catalog, indicating no known active exploitation. Based on the description, it is inferred that the attack vector requires the attacker to deliver a malicious AC4 file to the target system, which is typically a local or privileged file injection scenario. Because the function fails when encountering malformed input, exploitation is straightforward once a suitable file is crafted, placing the risk at a moderate level for environments that routinely process untrusted AC4 streams. In tightly controlled or isolated deployments, the impact is lower.

Generated by OpenCVE AI on June 1, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch included in commit e02d1fd24cdc26acb1b236ab38b3832cffcae21b or upgrade to GPAC MP4Box version 26.02.0 or later
  • If an upgrade cannot be performed immediately, disable or quarantine AC4 file handling to prevent the vulnerable function from being triggered
  • Verify that no custom scripts or integrations invoke the vulnerable function, and monitor crash logs to detect exploitation attempts

Generated by OpenCVE AI on June 1, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Leading to DoS via Malicious AC4 File

Mon, 01 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Leading to DoS via Malicious AC4 File

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T23:31:37.379Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60481

cve-icon Vulnrichment

Updated: 2026-06-01T23:31:37.379Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:28.420

Modified: 2026-06-02T00:16:32.480

Link: CVE-2025-60481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T19:00:14Z

Weaknesses