Description
A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A segmentation violation occurs in the gf_isom_apple_set_tag_ex function within isom_write.c of the GPAC Project’s MP4Box utility. The defect results from a NULL Pointer Dereference (CWE‑476), causing an unhandled crash when the tool processes a specially crafted MP4 file. The crash destroys the running instance of MP4Box, thereby denying service to any workflow that relies on the binary.

Affected Systems

Any deployment that uses GPAC Project’s MP4Box prior to version 26.02.0 may be impacted. Common environments include media servers, content creation pipelines, embedded media players, and automated video processing services that invoke MP4Box on user-supplied files.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity; the flaw can be triggered by feeding a crafted MP4 file to MP4Box, either locally or via a network interface that delivers such files. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower probability of mass exploitation. Nevertheless, an attacker who can supply non‑validated MP4 input can cause the application to crash, resulting in a denial of service until the service is manually or automatically restarted.

Generated by OpenCVE AI on June 1, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC Project/MP4Box to version 26.02.0 or newer where the crash bug has been fixed.
  • If an upgrade is not immediately possible, run MP4Box in a sandboxed or reduced‑privilege environment and reject or pre‑validate any MP4 files that appear malformed before processing them.
  • Implement automated monitoring to detect unexpected crashes and configure the environment to restart the service or fail over to an alternate instance to minimize downtime.

Generated by OpenCVE AI on June 1, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Segmentation Violation in GPAC MP4Box

Mon, 01 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 01 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box Causing Denial of Service via Crafted MP4
Weaknesses CWE-119
CWE-416

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box Causing Denial of Service via Crafted MP4
Weaknesses CWE-119
CWE-416

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T23:31:40.341Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60485

cve-icon Vulnrichment

Updated: 2026-06-01T23:31:40.341Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:28.643

Modified: 2026-06-02T00:16:32.780

Link: CVE-2025-60485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:00:15Z

Weaknesses