Description
A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
Published: 2026-06-01
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A segmentation violation occurs in the gf_media_get_color_info function of GPAC Project/MP4Box before 26.02.0. The vulnerability is triggered by a crafted media file, resulting in a NULL pointer dereference. When exploited, the function causes the application to crash, interrupting media processing and potentially affecting higher‑level services that depend on MP4Box. The weakness is a classic null dereference flaw (CWE-476).

Affected Systems

The vulnerability affects the GPAC Project’s MP4Box tool in all releases prior to 26.02.0. Users running MP4Box versions older than 26.02.0 are impacted regardless of additional configuration or deployment environment.

Risk and Exploitability

No CVSS score is publicly available, but the denial‑of‑service impact is significant. EPSS data is not published, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker can supply a malicious media file to a system that processes untrusted input with MP4Box. The exploit does not require privileged access; it merely needs the ability to deliver a crafted file to the target application. Organizations running vulnerable versions should consider the risk high due to the potential for service disruption.

Generated by OpenCVE AI on June 1, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GPAC Project/MP4Box version 26.02.0 or later
  • Implement input validation to reject malformed media files before they reach the parsing function
  • Configure network controls to limit exposure of MP4Box to untrusted input sources

Generated by OpenCVE AI on June 1, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Segmentation Fault in GPAC MP4Box Permitting Denial of Service
First Time appeared Gpac
Gpac mp4box
Weaknesses CWE-476
Vendors & Products Gpac
Gpac mp4box

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T16:43:31.666Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60495

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T15:16:28.860

Modified: 2026-06-01T15:16:28.860

Link: CVE-2025-60495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:30:06Z

Weaknesses