CVE-2025-55657: GPAC MP4Box NULL Pointer Dereference Denial of Service
GPAC MP4Box version 2.4 contains a defect that causes the application to crash when processing a specially crafted MP4 file. An attacker can exploit this by sending a malicious MP4 to any system running the vulnerable software, resulting in service unavailability. No data theft or system compromise occurs—the impact is limited to denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-55657 is a NULL pointer dereference vulnerability in the gf_odf_vvc_cfg_write_bs function within odf/descriptors.c of GPAC MP4Box v2.4. The flaw occurs when the application attempts to process a crafted MP4 file without proper validation, causing a dereferencing of a null pointer. This triggers an unhandled exception that crashes the process. The vulnerability is classified under CWE-476 (NULL Pointer Dereference) and requires only network access with no authentication or user interaction to trigger.
Business impact
Organizations using GPAC MP4Box v2.4 for media transcoding, streaming infrastructure, or content processing face availability risk. Any automated or online service relying on this tool for MP4 handling becomes vulnerable to disruption. Attackers can repeatedly submit crafted files to exhaust service capacity or prevent legitimate media processing workflows. The absence of confidentiality or integrity impact limits the severity to operational disruption rather than data breach.
Affected systems
GPAC MP4Box v2.4 is the affected version. Systems running this specific release for media file processing, streaming pipeline integration, or content delivery workflows are at risk. Both standalone deployments and integrated instances within media processing frameworks should be inventoried. Earlier and later versions require verification against vendor advisories to confirm exposure status.
Exploitability
Exploitation is straightforward: an attacker needs only to craft a malicious MP4 file and deliver it to a system processing MP4 content. No special privileges, authentication, or user interaction is required. The attack surface is wide for any organization accepting MP4 uploads or processing untrusted media files. Public exploit code is not currently known to be available, but the technical simplicity of NULL pointer dereference exploits means weaponization risk is moderate.
Remediation
Upgrade GPAC MP4Box to a patched version released after June 17, 2026 (the last modification date of this advisory). Until patches are available or tested, restrict processing of untrusted MP4 files and isolate MP4Box instances in sandboxed or network-restricted environments. Consider temporarily disabling automated MP4 intake from external sources if feasible.
Patch guidance
Check the official GPAC project repository and release notes for version updates addressing this vulnerability. Verify patch availability at https://github.com/gpac/gpac or through your distribution mechanism. Test any candidate patch in a non-production environment before deployment, paying particular attention to media processing pipelines that depend on reliable VVC (Versatile Video Coding) descriptor handling. Document the version applied to prevent regression.
Detection guidance
Monitor system logs and process crash dumps for abnormal termination of MP4Box processes correlating with MP4 file processing events. Implement file validation upstream of MP4Box to reject malformed MP4 headers before processing. Network-based detection is difficult without packet inspection; focus on behavioral indicators such as repeated MP4Box crashes following receipt of specific files. Consider sandboxing MP4 processing with resource limits to contain impact.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The CVSS 7.5 HIGH score reflects network accessibility and ease of exploitation, but the impact is confined to availability. Organizations running MP4Box in user-facing services or critical content pipelines should prioritize patching within 2–4 weeks. Those with MP4 processing in isolated or non-critical workflows can extend the timeline pending patch maturity. Monitor vendor communications for exploitation activity.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH severity) is driven by: (1) Network-accessible attack vector requiring no authentication or interaction (AV:N/AC:L/PR:N/UI:N); (2) High availability impact from crash-induced service disruption (A:H); (3) No confidentiality or integrity compromise (C:N/I:N). The score appropriately reflects the operational risk while acknowledging limited data exposure risk. Organizational context—whether MP4Box handles untrusted external input—should inform local risk weighting.
Frequently asked questions
Can attackers steal data through this vulnerability?
No. CVE-2025-55657 is a denial-of-service defect only. It crashes the application but does not enable data exfiltration, authentication bypass, or system compromise. The attack surface is limited to availability disruption.
Do we need to patch immediately if we don't accept untrusted MP4 files?
Urgency depends on context. If your MP4Box instances process only internally-generated or trusted content, the immediate risk is lower. However, supply chain or third-party integration scenarios warrant faster patching. Evaluate your file intake sources honestly before deferring remediation.
How do we know if we've been exploited?
Look for unexpected MP4Box process crashes in logs or monitoring systems, especially correlated with specific MP4 file submissions. A single crash is usually benign; repeated crashes following file uploads suggest potential attack. Maintain baseline crash metrics to detect anomalies.
Is there a workaround if we can't patch immediately?
Implement sandboxing, file validation, and network segmentation around MP4Box. Run the service with resource quotas to limit impact of repeated crashes. Disable MP4 intake from untrusted sources temporarily if operationally feasible. These are temporary measures; patching is the permanent solution.
This analysis is based on publicly available vulnerability information current as of the advisory publication date. Patch availability, version numbers, and affected software scope should be verified against official vendor advisories before taking remediation action. SEC.co does not provide real-time threat intelligence; supplement this analysis with current threat feeds and vendor communications. The presence or absence of known exploit code does not guarantee exploitation difficulty or real-world attack likelihood. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-55651MEDIUMGPAC MP4Box NULL Pointer Dereference DoS Vulnerability
- CVE-2025-55659MEDIUMGPAC MP4Box NULL Pointer Denial of Service
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
- CVE-2025-59606HIGHQualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-70099HIGHNULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)
- CVE-2026-3238HIGHSamba WINS Server NULL Pointer Dereference DoS Vulnerability
- CVE-2026-37226HIGHFlexRIC iApp Denial-of-Service via Invalid E2 Node Subscription
- CVE-2026-37230HIGHFlexRIC v2.0.0 RIC_INDICATION Denial-of-Service Vulnerability