MEDIUM 5.5

CVE-2025-60481: GPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)

GPAC Project's MP4Box, a widely-used multimedia framework and command-line tool, contains a flaw in how it processes AC4 audio configuration data within media files. When a specially crafted AC4 file is opened, the application crashes due to a null pointer dereference—essentially trying to access memory that hasn't been properly initialized. This is a local denial-of-service vulnerability that requires user interaction (opening the malicious file) but could disrupt workflows involving media processing or transcoding pipelines.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-60481 stems from improper null-pointer validation in the gf_odf_ac4_cfg_dsi_v1 function within GPAC's ODF (Object Descriptor Framework) descriptor parsing code (/odf/descriptors.c). The vulnerability occurs when parsing AC4 (AC-4 Enhanced Audio Codec) configuration data structures embedded in media files. An attacker-controlled AC4 file with a missing or malformed configuration data section can trigger a null pointer dereference, causing MP4Box or any application linking the GPAC library to crash. The flaw is classified as CWE-476 (NULL Pointer Dereference) and carries a CVSS 3.1 score of 5.5 (Medium severity, local vector, no authentication required, user interaction required, high availability impact).

Business impact

Organizations relying on GPAC/MP4Box for automated media processing, digital asset management, transcoding workflows, or content distribution pipelines face service disruption risk. A single malicious file uploaded to a media ingestion system could crash the processing service, potentially halting batch jobs or live-streaming workflows. This is particularly relevant for media production companies, streaming platforms, and enterprises managing large video libraries. The impact is constrained to availability; data confidentiality and integrity are not affected. However, in security-critical environments, repeated crashes could be leveraged as a vector for operational harassment or to mask other suspicious activities.

Affected systems

GPAC Project's MP4Box and the underlying GPAC multimedia framework versions before 26.02.0 are affected. Any application statically or dynamically linked against vulnerable GPAC libraries is at risk. This includes desktop tools (MP4Box command-line utility), embedded media engines, and middleware used in content management systems. The vendor_products field in the source data is empty, indicating no specific commercial product bundle has been officially listed; however, open-source projects and in-house systems incorporating GPAC are in scope.

Exploitability

Exploitability is moderate. The attack requires local file system access or the ability to upload a crafted AC4 file to a system running MP4Box or a GPAC-based application. No network propagation, privilege escalation, or authentication bypass is required. The barrier to entry is low—crafting a malformed AC4 file is straightforward for someone with basic knowledge of the AC4 container format. However, exploitation is not automatic; it depends on user action (opening/processing the file). Real-world exploitation would likely target automated media ingestion systems that process untrusted user uploads without proper sandboxing.

Remediation

Upgrade GPAC Project's MP4Box to version 26.02.0 or later. Organizations should inventory all systems running GPAC or MP4Box, verify their current versions, and apply the patch. For applications embedding GPAC as a library, coordinate with vendors or rebuild against the patched library version. Interim mitigation involves restricting file upload sources and processing untrusted AC4 files in isolated, sandboxed environments.

Patch guidance

Update MP4Box and GPAC libraries to version 26.02.0 or later. Verify the update through GPAC's official GitHub releases or your vendor's patch advisory. If using GPAC as a library dependency in your own application, rebuild and redeploy after updating the library. Test the patched version against your media processing workflows to ensure compatibility and performance.

Detection guidance

Monitor MP4Box and GPAC-linked application crash logs for null pointer dereference errors in the gf_odf_ac4_cfg_dsi_v1 function or related ODF descriptor parsing routines. Watch for unexpected application terminations when processing AC4 files, particularly from external or untrusted sources. Network-based detection is limited; focus on endpoint telemetry, application error logs, and process crash dumps. Implement input validation and sandboxing for untrusted media file processing to contain the impact.

Why prioritize this

This vulnerability merits prompt but not emergency remediation. The CVSS score of 5.5 (Medium) reflects its limited scope—local impact only, user interaction required—but the ease of exploitation and potential for workflow disruption in media-heavy organizations elevate practical priority. It is not currently tracked in the CISA KEV catalog, indicating limited evidence of active weaponization, but organizations processing user-uploaded media should prioritize it within their standard patch cycle (30–60 days). Apply sooner if you operate automated media ingestion pipelines.

Risk score, explained

The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) yields a score of 5.5 (Medium). Local attack vector (AV:L) and low attack complexity (AC:L) indicate a straightforward exploitation path. No privilege escalation required (PR:N), but user interaction is mandatory (UI:R)—the file must be opened or processed. The scope is unchanged (S:U), and there is no confidentiality or integrity impact (C:N/I:N). The high availability impact (A:H) reflects the guaranteed crash when the flaw is triggered. The Medium severity reflects the practical constraint that widespread exploitation requires mass distribution of malicious AC4 files or targeting known media processing workflows.

Frequently asked questions

Will this crash my media files or corrupt my data?

No. The vulnerability causes the application to crash (denial of service) but does not corrupt, delete, or expose your media files. Once you upgrade to the patched version, your files are unaffected.

Do I need to do anything if I don't use MP4Box or GPAC directly?

Only if your organization uses commercial or in-house software that embeds GPAC for media processing. Check your vendor documentation or contact support to determine if your media platform depends on GPAC. Most mainstream media players and frameworks have moved to alternative audio codec libraries, so exposure is concentrated in specialized media tooling.

What's the difference between an AC4 file and a regular MP4?

AC4 is an advanced audio codec format used in some professional media workflows and next-generation broadcast standards. Most consumer media uses AAC or other audio codecs. Exposure is mainly for organizations handling professional or broadcast content production.

Is this being actively exploited in the wild?

As of the published date, there is no evidence of active exploitation or public proof-of-concept code. However, the low complexity of crafting a malicious AC4 file means the vulnerability could be weaponized quickly if not patched, particularly in targeted supply-chain or content-distribution scenarios.

This analysis is based on published vulnerability data as of June 2026 and does not constitute legal advice or a guarantee of security. Patch version numbers and vendor status are accurate to the source data provided; always verify against official vendor advisories before deploying patches. Exploit code is not provided herein. Organizations should conduct their own risk assessment and testing in development environments before applying patches to production systems. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability intelligence and recommends independent verification of all technical claims. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).