HIGH 7.5

CVE-2025-52293: GPAC MP4Box HEVC Parser Denial of Service (CVSS 7.5)

CVE-2025-52293 is a crash vulnerability in GPAC MP4Box v2.4 that occurs when the HEVC video parser encounters malformed video stream headers. An attacker can craft a specially designed HEVC Sequence Parameter Set (SPS) and deliver it to a system running MP4Box to trigger a segmentation fault, causing the application to crash and become unavailable. This is a network-exploitable denial-of-service issue that requires no user interaction or special privileges to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

A segmentation violaton in the gf_hevc_read_sps_bs_internal function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying crafted HEVC SPS data.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the gf_hevc_read_sps_bs_internal function within media_tools/av_parsers.c of GPAC MP4Box v2.4. The function fails to properly validate HEVC SPS bitstream data before dereferencing memory, leading to a segmentation violation. The flaw allows an unauthenticated remote attacker to supply crafted HEVC SPS data—potentially via a malicious MP4 file or streaming protocol—that causes out-of-bounds memory access or use of uninitialized memory. The resulting crash stops the MP4Box process without data corruption or privilege escalation.

Business impact

Organizations using GPAC MP4Box for media processing, transcoding, or streaming workflows face availability disruption. If MP4Box is integrated into automated pipeline systems (video encoding farms, content delivery platforms, broadcast infrastructure), a crash could halt batch jobs and impact service continuity. While data confidentiality and integrity are not compromised, repeated exploitation could be weaponized as a denial-of-service attack against media processing infrastructure. The blast radius depends on how central MP4Box is to your media handling architecture and whether it processes untrusted content.

Affected systems

GPAC MP4Box v2.4 is the confirmed affected version. The vulnerability exists in the HEVC video parser component, meaning any system using MP4Box to analyze, transcode, or repackage video content is at risk if that content originates from untrusted sources. Common deployment scenarios include media analysis tools, automated video processing services, broadcast encoding centers, and content delivery networks. Verify your deployed version against GPAC release notes and advisory documentation.

Exploitability

This vulnerability is readily exploitable from the network without authentication or user interaction—a key characteristic reflected in the CVSS score of 7.5. An attacker need only deliver a malicious MP4 file or HEVC stream to a system running vulnerable MP4Box. No special conditions, bypasses, or social engineering are required. Exploitation is straightforward: craft a file with invalid SPS parameters and trigger the parser. The barrier to exploit development is low, making this a practical attack vector if an organization processes untrusted media files.

Remediation

Upgrade GPAC MP4Box to a patched version released after the vulnerability disclosure. Consult the official GPAC GitHub repository and security advisories for the specific version number that addresses CVE-2025-52293. Additionally, implement input validation and sandboxing: restrict MP4Box to process only media from trusted sources, run the tool in a containerized or isolated environment to contain crashes, and monitor for unexpected process terminations. Network-level controls should prevent untrusted content from reaching MP4Box instances when feasible.

Patch guidance

Check the GPAC project's official GitHub releases and security advisories for patched versions released after June 17, 2026 (the vulnerability modification date). Apply patches promptly to any production systems or development infrastructure using MP4Box. If you maintain custom builds, rebuild with the latest source code. For organizations on long-term support tracks, verify patch availability with your GPAC distribution provider. Test patches in a staging environment to ensure media processing workflows continue to function correctly before rolling out to production.

Detection guidance

Monitor MP4Box process logs and system events for segmentation faults (SIGSEGV) or abnormal termination when processing media files. Implement application-level logging to capture which input files trigger crashes. In network environments, inspect inbound media files for suspicious HEVC SPS characteristics using media analysis tools before feeding them to MP4Box. Consider deploying intrusion detection signatures that flag anomalous MP4/HEVC structures. Track process restarts and watchdog events to identify exploitation attempts. Log file hashes and metadata of media inputs that cause crashes for forensic analysis.

Why prioritize this

This vulnerability merits urgent attention because it combines high exploitability (network-accessible, no authentication required) with easy attack surface exposure (any system processing untrusted video). While the impact is limited to denial of service, repeated crashes could disrupt media processing pipelines and degrade service availability. Organizations relying on MP4Box for critical workflows or processing user-uploaded media should prioritize patching. The lack of KEV inclusion does not reduce the risk; it reflects that widespread exploitation at scale has not yet been publicly documented, not that the vulnerability is unexploitable.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a severe but contained threat. The network-accessible attack vector (AV:N), low complexity (AC:L), and lack of privilege or user interaction requirements (PR:N, UI:N) all drive exploitability. The availability impact (A:H) captures the crash-induced denial of service. However, no confidentiality or integrity loss occurs (C:N, I:N), and the vulnerability does not escape the vulnerable component (S:U), which prevents a critical rating. Organizations should treat this as a high-priority patch and containment issue.

Frequently asked questions

Can this vulnerability lead to remote code execution?

No. CVE-2025-52293 causes a segmentation violation that crashes the MP4Box process but does not allow code execution. The vulnerability is limited to denial of service. The parser's failure to validate SPS data results in memory access violations, not control-flow hijacking.

Does the vulnerability affect all GPAC versions or only v2.4?

Based on available information, GPAC MP4Box v2.4 is the confirmed affected version. Other versions may be vulnerable, but verification requires testing or review of the vendor's advisory. Always consult official GPAC security documentation and release notes for the full scope of affected versions.

How can we process untrusted media files safely if patching is delayed?

Run MP4Box in an isolated environment such as a container or virtual machine to limit blast radius from crashes. Implement filesystem and network sandboxing to restrict the tool's access. Preprocess files with lightweight format validators or use alternative parsers as a first-pass filter. Monitor process health and implement automatic restarts with rate limiting to prevent rapid exploit loops. These measures do not eliminate the vulnerability but reduce operational impact while you prepare patches.

Is this vulnerability currently being exploited in the wild?

The vulnerability is not tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the disclosure date. This does not guarantee the absence of exploitation; it means widespread, documented exploitation campaigns have not been publicly confirmed. Treat the vulnerability as a credible threat and prioritize patching regardless of KEV status.

This analysis is based on vulnerability data published as of June 17, 2026. Patch version numbers and detailed remediation steps should be verified against the official GPAC project repository and security advisories before implementation. Organizations should conduct their own risk assessment and testing in staging environments prior to deploying patches. SEC.co provides this information for situational awareness and does not guarantee its completeness or applicability to all environments. Consult with your vendor and security team for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).