Description
A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function of GPAC MP4Box causes a crash when a specially crafted AC4 file is processed. The failure results in a service interruption, preventing legitimate users from executing MP4Box on the affected system.

Affected Systems

GPAC Project MP4Box versions earlier than 26.02.0 are susceptible. Users running the MP4Box command-line tool or any application that embeds MP4Box to parse or generate AC4 streams may be impacted.

Risk and Exploitability

The absence of remote code execution limits the threat to denial of service, but an attacker can trigger it by submitting a malicious AC4 file, potentially locally or through a network service if MP4Box is invoked in that context. Based on the description, it is inferred that the attacker would need to deliver a malicious AC4 file to the MP4Box tool in order to trigger the denial of service; this could be done either locally or via a network service that processes AC4 files. No CISA KEV listing and no EPSS score are available, indicating a relatively low exploitation probability; however, environments that rely on MP4Box for media processing should prioritize patching. The CVSS score of 5.5 indicates a medium severity issue.

Generated by OpenCVE AI on June 1, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GPAC MP4Box version 26.02.0 or later where the pointer dereference bug is fixed.
  • If an upgrade is not immediately possible, restrict access to input AC4 files and validate them against a known good schema before processing.
  • Configure firewall or intrusion prevention systems to block or alert on attempts to trigger MP4Box with unusually large or malformed AC4 payloads.

Generated by OpenCVE AI on June 1, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Leading to Denial of Service

Mon, 01 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in GPAC MP4Box Leading to Denial of Service

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T16:38:07.837Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60483

cve-icon Vulnrichment

Updated: 2026-06-01T16:37:59.239Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:28.540

Modified: 2026-06-01T18:09:03.137

Link: CVE-2025-60483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:30:06Z

Weaknesses