Description
A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL dereference in GPAC MP4Box occurs when the parser encounters a malformed or truncated MP4 file that contains an unknown or invalid stsd entry. The parser attempts to read descriptor fields such as codec, mime, or profile strings that are missing, and a NULL pointer is passed to strlen(), causing a segmentation fault and termination of the application. The weakness is a null‑pointer dereference (CWE‑476). This results in a denial of service for any process or user that attempts to open the file, but does not provide an attacker with arbitrary code execution.

Affected Systems

GPAC MP4Box – any installation lacking the patch that handles missing descriptor fields correctly. No specific vendor or product versions are listed, so any unpatched or older release may be susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, and the EPSS score is < 1 %, so the probability of exploitation is very low. It is not listed in the CISA KEV catalog. An attacker would need to supply a crafted MP4 file, which could be delivered via upload, email attachment, or shared media. The impact is limited to crashing the application; no escalation beyond denial of service is documented. The trigger requires a specially formatted file, so exploitation requires file delivery to a target system that processes the MP4 file with MP4Box.

Generated by OpenCVE AI on May 28, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GPAC MP4Box release that contains the fix for the null‑pointer dereference.
  • Validate MP4 files before passing them to MP4Box, rejecting those that do not contain required descriptor fields.
  • Run MP4Box with the application confined to a sandbox or restricted execution environment to contain crashes.

Generated by OpenCVE AI on May 28, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box Null Pointer Dereference Causing Crash

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 05:00:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box Null Pointer Dereference Causing Crash
Weaknesses CWE-476

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-30T14:32:36.802Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70116

cve-icon Vulnrichment

Updated: 2026-05-30T14:32:36.802Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:29.187

Modified: 2026-06-01T18:09:03.137

Link: CVE-2025-70116

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:45:22Z

Weaknesses