MEDIUM 5.5

CVE-2025-60483: MP4Box AC4 Parser NULL Pointer DoS Vulnerability

A flaw in GPAC Project/MP4Box's AC4 audio file parser can crash the application when processing a specially crafted audio file. An attacker would need to trick a user into opening a malicious AC4 file, causing the service to stop responding. This is a moderate-risk issue affecting organizations that rely on MP4Box for media processing or transcoding workflows.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-60483 is a NULL pointer dereference vulnerability in the gf_ac4_pres_b_4_back_channels_present function located in /media_tools/av_parsers.c. The vulnerability exists in GPAC Project/MP4Box versions prior to 26.02.0. When the parser encounters a malformed AC4 audio file with specific structural anomalies, it attempts to dereference a NULL pointer without proper validation, resulting in an immediate crash of the MP4Box process. The vulnerability is classified as CWE-476 (NULL Pointer Dereference).

Business impact

Organizations using MP4Box for automated media ingestion, transcoding, or validation pipelines may experience service disruptions if untrusted AC4 files are processed. This is particularly relevant for media distribution platforms, streaming services, and content management systems that accept user-uploaded audio or process third-party media feeds. Repeated exploitation could degrade system availability and interrupt scheduled encoding or analysis tasks, though no data loss or unauthorized access is possible.

Affected systems

GPAC Project/MP4Box versions before 26.02.0 are affected. The vulnerability is triggered specifically when parsing AC4 (AC-4, or ATSC Compressed Audio) encoded media files. Systems that do not process AC4 audio or do not use MP4Box for media handling are unaffected. Verify your installed version against the vendor baseline of 26.02.0 and later.

Exploitability

Exploitation requires user interaction—an attacker must deliver a crafted AC4 file and convince or trick a user or automated system to process it with a vulnerable version of MP4Box. The attack vector is local (AV:L), meaning the malicious file must exist on or be accessible to the target system. No authentication or special privileges are required. Once a vulnerable version processes the file, the denial of service is immediate and reliable. The overall exploitability is moderate but not trivial due to the user interaction requirement.

Remediation

Upgrade GPAC Project/MP4Box to version 26.02.0 or later. Verify the exact version installed in your environment and cross-reference against the official GPAC release notes. For organizations unable to immediately upgrade, implement input validation and file-type filtering to restrict processing of AC4 files from untrusted sources, and consider disabling AC4 support if not essential to your workflows.

Patch guidance

The vendor has resolved this issue in MP4Box version 26.02.0. Obtain the patched version from the official GPAC Project repository or distribution channel. Before deploying the update, verify the build number and integrity of the release package. Test the patched version in a non-production environment to ensure compatibility with your media processing pipeline, particularly if you have custom integrations or scripts that depend on specific MP4Box behavior. Plan the upgrade during a maintenance window to minimize disruption to active workflows.

Detection guidance

Monitor for MP4Box process crashes or abnormal terminations, particularly when processing media files from external or untrusted sources. Log file analysis should capture segmentation faults or NULL pointer errors in the av_parsers.c module. If your infrastructure uses centralized logging or application performance monitoring, alert on unexpected MP4Box exit codes or service restarts. Consider implementing file-type validation at ingestion points to reject or quarantine AC4 files from unexpected sources. Network-based detection is not practical; focus on host-level observability and process monitoring.

Why prioritize this

Although the CVSS score is moderate (5.5), the vulnerability merits prioritization because it affects media processing infrastructure which often operates in batch or automated modes where user interaction may be minimal or implicit. The impact is denial of service, not data compromise, but in media workflows, availability is often critical for downstream operations. Organizations with public-facing media upload features or third-party content integration should treat this as a higher priority to prevent user-facing outages.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects: local attack vector (the file must be on or accessible to the system), low attack complexity (a straightforward file structure triggers the crash), no privileges required, user interaction required (someone must open or process the file), and high availability impact (guaranteed service disruption). The score does not account for confidentiality or integrity impact because none occurs. Businesses with mission-critical media processing or high-volume automated ingestion may consider this functionally equivalent to a higher-severity issue in their environment.

Frequently asked questions

Does this vulnerability allow an attacker to steal data or gain unauthorized access?

No. The vulnerability is strictly a denial-of-service condition. It crashes the MP4Box process but does not enable data exfiltration, unauthorized file access, or privilege escalation. The impact is limited to service availability.

Which audio formats are affected?

Only AC4 (ATSC Compressed Audio) files trigger this vulnerability. If your organization does not process AC4 audio—for example, if you work exclusively with AAC, MP3, or other formats—you are not affected by this issue.

Can this be exploited remotely over the network?

No. The attack vector is local, meaning the malicious AC4 file must be on or accessible to the system running MP4Box. However, in environments where MP4Box is exposed via APIs, web services, or file-sharing integrations, remote users could indirectly trigger the vulnerability by uploading a crafted AC4 file.

What versions of MP4Box should we use to be safe?

Upgrade to version 26.02.0 or later. Verify your current version by running 'MP4Box -version' and cross-reference the build number against the official GPAC release notes to confirm you have the patched version installed.

This analysis is provided for informational purposes and should not be considered legal or professional security advice. Organizations should conduct their own risk assessments based on their specific infrastructure, data classification, and business criticality. Patch versions, affected product details, and vendor advisories should be independently verified against official GPAC Project documentation and security notices. No exploit code or weaponized proof-of-concept is provided. SEC.co assumes no liability for decisions made based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).