MEDIUM 5.5

CVE-2025-55664: GPAC MP4Box Heap Buffer Overflow DoS Vulnerability

CVE-2025-55664 is a heap buffer overflow vulnerability in GPAC MP4Box version 2.4 that can be triggered when processing a specially crafted MP4 file. An attacker can exploit this by tricking a user into opening a malicious MP4 file, causing the application to crash or become unresponsive. This is a local, user-interaction-based attack that does not allow data theft or system compromise, but disrupts availability of the MP4Box tool.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-122
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the m2tsdmx_send_packet function within filters/dmx_m2ts.c of GPAC MP4Box v2.4. A heap buffer overflow occurs when the function processes input from a crafted MP4 file without properly validating buffer boundaries. The overflow is triggered during MPEG-2 transport stream demultiplexing operations. This is classified under CWE-122 (Heap-based Buffer Overflow) and requires local file access and user interaction to manifest, but once triggered causes denial of service through process termination or resource exhaustion.

Business impact

Organizations that rely on GPAC MP4Box for media file processing, transcoding workflows, or automated content validation pipelines face availability disruptions. If MP4Box is integrated into batch processing systems or content delivery infrastructure, a crafted file could cause unexpected service halts. The impact is primarily operational rather than security-critical, since confidentiality and integrity are not compromised; however, unexpected crashes may delay time-sensitive media operations and create support overhead.

Affected systems

GPAC MP4Box version 2.4 is directly affected. The vulnerability requires local access to the system running MP4Box and user interaction (opening or processing the malicious file). Systems that have deployed v2.4 for media analysis, transcoding, or format conversion are at risk, particularly if they process files from untrusted sources or accept user-supplied media for automated handling.

Exploitability

Exploitability is moderate. While the attack requires crafting a specific MP4 file and user interaction to open it, creating such a file does not demand specialized knowledge—standard fuzzing or binary manipulation of valid MP4 structures can trigger the overflow. The attack is not remotely exploitable and does not grant code execution, limiting the threat model to denial of service. The CVSS vector (AV:L/AC:L/PR:N/UI:R) reflects this: local attack vector, low attack complexity, no privileges required, but user interaction mandatory.

Remediation

Upgrade GPAC MP4Box to a patched version released after this vulnerability is disclosed. Verify the specific patched version number against the official GPAC project repository and security advisories. Interim mitigations include restricting file processing to known-safe media sources, implementing file validation before passing content to MP4Box, and running the tool in a sandboxed environment where crashes do not cascade to dependent systems.

Patch guidance

Apply the security patch from the GPAC project as soon as it becomes available. Check the official GPAC GitHub repository (https://github.com/gpac/gpac) and their security advisory channel for patch version information. If MP4Box is embedded in a larger product or service, verify that your vendor or distribution has released an updated package. Test the patched version in a non-production environment before broad deployment to ensure compatibility with your media workflows.

Detection guidance

Monitor for unexpected crashes or exits of MP4Box processes, particularly when processing newly acquired or untrusted media files. Log and analyze MP4 files that trigger application failures. If you have debugging symbols available, configure core dump capture and analyze stack traces to confirm involvement of the m2tsdmx_send_packet function. Implement file integrity monitoring on media repositories to detect unauthorized changes. For automated pipelines, add health checks that alert on repeated or clustered MP4Box failures.

Why prioritize this

Although the CVSS score of 5.5 reflects medium severity and the attack requires user interaction, this vulnerability should be prioritized in environments where MP4Box is mission-critical or processes high volumes of external media. The low attack complexity and ease of crafting trigger files mean that once awareness spreads, exploitation attempts are likely. The lack of KEV designation (not yet exploited in the wild) provides a window for patching before active attacks materialize.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) is driven by: (1) Local attack vector only—remote exploitation is not possible; (2) Low attack complexity—no special conditions or configuration needed; (3) No privileges required—any local user can attempt exploitation; (4) User interaction required—a user must open or process the crafted file; (5) Impact limited to availability—the overflow causes denial of service but not confidentiality or integrity breaches. The score appropriately reflects a disruptive but contained threat.

Frequently asked questions

Can this vulnerability be exploited remotely over a network?

No. The CVSS vector shows AV:L (local attack vector), meaning the attacker must have local access to the system or trick a local user into opening a malicious file. Remote exploitation is not possible.

Will applying a patch break my existing MP4 workflows?

Patches typically address the buffer overflow without changing the API or normal use of MP4Box. Verify compatibility in release notes, but most security patches are backward-compatible. Test in a staging environment before production deployment.

What if I cannot patch immediately—are there workarounds?

Yes: validate MP4 files from untrusted sources using alternative tools before passing them to MP4Box; run MP4Box in a container or VM so that crashes are isolated; restrict file sources to known-safe origins; and monitor for crash events. These are interim measures only—patching is the proper fix.

Is there public exploit code for this vulnerability?

As of the vulnerability's public disclosure, no weaponized exploit code has been released. The barrier to entry for crafting a trigger file is low, so responsible disclosure guidance and rapid patching are important.

This analysis is provided for informational and defensive purposes. SEC.co does not provide legal advice or guarantees regarding vendor responses or patch timelines. Verify all technical claims, patch versions, and vendor advisories directly with the GPAC project and your product vendors before making deployment decisions. This vulnerability requires local access and user interaction; it does not permit remote code execution. Always test patches in non-production environments first. Patch availability and timelines may vary by distribution or embedded product. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).