HIGH 7.5

CVE-2025-52292: GPAC MP4Box Stack Buffer Overflow Denial of Service

GPAC MP4Box version 2.4 contains a stack buffer overflow vulnerability in its file input handling code. An attacker can exploit this by submitting a specially crafted MP4 file, causing the application to crash or become unresponsive. This is a denial-of-service issue with no data theft or system compromise risk, but it can disrupt services that depend on MP4Box for media processing.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

A stack buffer overflow in the filein_process function (in_file.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-52292 is a stack buffer overflow (CWE-121) located in the filein_process function of in_file.c within GPAC MP4Box v2.4. The vulnerability arises from insufficient bounds checking when processing input MP4 files. When a malformed MP4 file with crafted parameters is provided, the function writes beyond allocated stack memory, triggering a crash. The attack requires no authentication, no user interaction beyond file submission, and can be triggered over the network if MP4Box is exposed via a service endpoint. CVSS 3.1 score is 7.5 (High severity) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting network-accessible denial of service with no confidentiality or integrity impact.

Business impact

Organizations relying on GPAC MP4Box for automated media transcoding, validation, or ingest pipelines face service disruption risk. If MP4Box is exposed as a web service or integrated into media processing workflows, an attacker can cause repeated crashes, degrading availability. This affects streaming platforms, content management systems, and broadcast infrastructures. The impact is availability-focused; no data theft or corruption occurs. Recovery requires process restart and potential upstream queue management.

Affected systems

GPAC MP4Box v2.4 is the confirmed affected version. Organizations using earlier versions should verify end-of-life status with the vendor; later versions require testing for patch status. MP4Box is commonly used in Linux/Unix environments and containerized media pipelines. Products that embed or depend on GPAC libraries should be inventoried and assessed for exposure.

Exploitability

Exploitability is high in practice. The vulnerability requires only network access and a crafted MP4 file—no authentication, privileges, or user interaction. Proof-of-concept creation is straightforward for someone familiar with MP4 file structure. However, this is not yet listed on CISA's Known Exploited Vulnerabilities catalog, suggesting active weaponization has not been publicly confirmed as of the publication date. Automated scanning for vulnerable MP4Box instances is possible but not trivial without direct service exposure detection.

Remediation

Upgrade GPAC to a patched version released after this vulnerability's disclosure. Contact the GPAC project for patch availability and timeline. As an interim measure, restrict network exposure of MP4Box services, implement input validation on MP4 files (reject oversized or malformed files), and place MP4Box instances behind web application firewalls or rate limiters. Monitor process crashes and segment media processing infrastructure to limit blast radius.

Patch guidance

Check the GPAC project repository and release notes for a version newer than v2.4 that addresses CWE-121 in in_file.c. Verify patch availability by examining commit history or security advisories on the official GPAC website. Test patched versions in a staging environment with both legitimate and malformed MP4 files before production deployment. If the vendor has not released a patch, consider implementing a sandboxed execution environment or alternative MP4 processing tool as a workaround.

Detection guidance

Monitor for MP4Box process crashes correlated with unusual or oversized MP4 file submissions. Log file sizes and submission patterns to the service. Implement network-based detection by inspecting MP4 file headers for anomalies (malformed atom sizes, invalid nesting). Endpoint detection and response (EDR) tools can flag repeated process crashes in media processing pipelines. Security Information and Event Management (SIEM) systems should correlate MP4 ingestion failures with potential attack patterns.

Why prioritize this

This vulnerability warrants prompt attention for organizations using MP4Box in production pipelines. The CVSS score of 7.5 reflects high severity due to unrestricted network access and certain availability impact. Although not yet publicly exploited, the straightforward attack vector (crafted file) and ease of reproduction elevate risk. Prioritize patching if MP4Box is internet-facing or processes untrusted media; deprioritize if it is isolated and processes only internal, validated content.

Risk score, explained

The CVSS 3.1 score of 7.5 (High) reflects a network-accessible denial-of-service flaw with no authentication or user interaction required. The vector AV:N/AC:L/PR:N/UI:N indicates network exploitability and low complexity. The A:H component denotes high impact to availability (process crash). The absence of confidentiality (C:N) and integrity (I:N) impact caps the score below critical range. Real-world risk depends on deployment context: services directly exposed to untrusted input face higher practical risk than isolated instances.

Frequently asked questions

Is this vulnerability being actively exploited in the wild?

As of the modification date (June 17, 2026), CVE-2025-52292 is not listed on CISA's Known Exploited Vulnerabilities catalog. This does not guarantee absence of exploitation, but suggests no widespread, confirmed active attacks have been publicly documented. Monitor threat intelligence feeds and security advisories for updates.

Can this vulnerability lead to remote code execution?

No. The vulnerability causes a denial of service through memory corruption but does not enable code execution. Exploitation results in process termination, not privilege escalation or system compromise. The impact is availability only.

What should I do if we use MP4Box but a patch isn't available yet?

Implement compensating controls: restrict network access to MP4Box services, validate MP4 file structure before processing, deploy rate limiting, and consider containerizing MP4Box so crashes do not affect host systems. Contact GPAC maintainers for patch timeline and consider temporary workarounds such as input sanitization or alternative processing tools.

How can we detect if we've been targeted by this vulnerability?

Monitor application logs for unexpected MP4Box crashes, especially correlating with new or suspicious file submissions. Examine network logs for unusual MP4 file transfers to the affected system. If using EDR or process monitoring, alert on repeated or clustered crashes of the MP4Box process. Check file timestamps and source IPs of received MP4 files.

This analysis is based on publicly disclosed vulnerability data as of June 2026. Patch availability, affected versions, and remediation timelines should be verified against official GPAC project advisories and vendor documentation. Organizations should conduct their own risk assessment based on deployment context and threat modeling. SEC.co makes no warranty regarding the accuracy of vendor patch information or timeline for patch releases. Consult your security team and vendor for authoritative guidance on remediation priority and deployment procedures. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).