Description
A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a segmentation fault caused by a null pointer dereference in the gf_media_get_color_info function located in /media_tools/isom_tools.c of GPAC Project’s MP4Box before the 26.02.0 release. The flaw is triggered by a crafted media file, which forces MP4Box to crash during media processing. This results in an interruption of the application’s operation and may affect any higher‑level services or workflows that depend on MP4Box to handle media data. The weakness is a classic null dereference flaw, identified as CWE‑476.

Affected Systems

MP4Box versions prior to 26.02.0 are impacted. All users that run any older releases of the GPAC Project’s MP4Box tool are vulnerable, regardless of additional configuration or deployment environment. The problem is specific to the MP4Box component of the GPAC project; other GPAC tools are unaffected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score is not available, meaning there is no current data on exploitation likelihood. The flaw is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker can supply a malicious media file to a system that processes untrusted input with MP4Box. The exploit does not require privileged access and relies on delivering a crafted file to the target application. Organizations running vulnerable versions should consider the risk relatively high due to the potential for service disruption.

Generated by OpenCVE AI on June 1, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GPAC Project/MP4Box version 26.02.0 or later
  • Implement input validation to reject malformed media files before they reach the parsing function
  • Configure network controls to limit exposure of MP4Box to untrusted input sources

Generated by OpenCVE AI on June 1, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box Permitting Denial of Service

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box Permitting Denial of Service
First Time appeared Gpac
Gpac mp4box
Weaknesses CWE-476
Vendors & Products Gpac
Gpac mp4box

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T23:31:43.259Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60495

cve-icon Vulnrichment

Updated: 2026-06-01T23:31:43.259Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:28.860

Modified: 2026-06-02T00:16:33.080

Link: CVE-2025-60495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:00:13Z

Weaknesses