CVE-2025-60485: MP4Box Segmentation Fault DoS Vulnerability (GPAC < 26.02.0)
CVE-2025-60485 is a memory safety flaw in GPAC's MP4Box tool that causes the application to crash when processing a specially crafted MP4 media file. An attacker can exploit this by distributing a malicious MP4 that triggers the crash, disrupting service for anyone using MP4Box to process or analyze video files. The vulnerability requires local access and user interaction (opening or processing the file), so it is most relevant in environments where untrusted media files are routinely handled.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
A null pointer dereference (CWE-476) exists in the gf_isom_apple_set_tag_ex function within /isomedia/isom_write.c of GPAC Project's MP4Box. The flaw occurs during the handling of Apple iTunes metadata tags in MP4 containers. When a crafted MP4 file with malformed tag structures is processed, the function fails to validate pointer state before dereferencing, triggering a segmentation fault. This is a local, user-triggered denial of service that does not lead to code execution or data leakage.
Business impact
Organizations relying on MP4Box for batch video processing, media transcoding, automated QA workflows, or metadata extraction face potential service disruption. If MP4Box runs as part of an unattended pipeline (for example, in a content delivery network, streaming platform, or video hosting service), a crafted file uploaded by a malicious actor could halt processing jobs, delay content publishing, or consume resources via repeated crash-and-restart cycles. The impact is operational availability rather than confidentiality or integrity of data.
Affected systems
GPAC Project's MP4Box versions prior to 26.02.0 are vulnerable. MP4Box is a command-line utility bundled with the GPAC framework, widely used in academic, research, and production media workflows. Any deployment of GPAC < 26.02.0 that processes untrusted or user-supplied MP4 files is at risk. Verify your deployed version against the vendor's release notes to confirm if your installation is affected.
Exploitability
Exploitability is straightforward from a technical standpoint: an attacker needs only to craft an MP4 file with malformed Apple tag metadata and distribute it to a target. However, practical exploitation requires a victim to process the file with a vulnerable version of MP4Box, making this primarily a risk in automated workflows or open platforms where users upload media. The CVSS score of 5.5 (Medium) reflects the requirement for local access and user interaction, and the limitation of impact to availability (crashing the process) rather than system compromise.
Remediation
Upgrade GPAC to version 26.02.0 or later. This release patches the segmentation violation in gf_isom_apple_set_tag_ex. Before patching, organizations should review their MP4Box deployment to identify which systems are exposed, particularly automated processing pipelines. If immediate patching is not feasible, implement input validation to reject or quarantine suspicious MP4 files, or restrict MP4Box processing to trusted sources only.
Patch guidance
Upgrade GPAC to version 26.02.0 or later. Verify the patch by checking the GPAC release notes and the version string of your MP4Box installation (run `mp4box -version`). Test the patched version against your existing media processing workflows to ensure compatibility before rolling out to production. No additional configuration changes are required after patching.
Detection guidance
Monitor for MP4Box process crashes or segmentation faults (SIGSEGV signals) in system logs, particularly in automated media processing environments. Log the MD5 or SHA256 hash of any MP4 files that trigger crashes, as they may indicate a weaponized sample. If you operate a content platform, track upload patterns for MP4 files with unusual metadata structures or compression anomalies. Consider implementing sandboxed testing of uploaded media files in a controlled environment before accepting them into your main workflow.
Why prioritize this
Although the CVSS score is Medium (5.5), prioritization depends on your deployment model. If MP4Box runs in an automated, unattended pipeline exposed to user-supplied content, this becomes a high-priority fix because a DoS can disrupt business-critical workflows. Conversely, if MP4Box is used only manually in controlled environments by trusted operators, remediation can be scheduled in a regular patch cycle. The lack of KEV designation confirms this is not yet being actively exploited, affording organizations time to test and deploy patches.
Risk score, explained
The CVSS v3.1 score of 5.5 reflects a local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and user interaction mandatory (UI:R). The impact is confined to availability (A:H), with no confidentiality or integrity effects. This medium rating is appropriate for a denial-of-service flaw that requires an attacker to trick or socially engineer a user into processing a malicious file, but it underscores the importance of evaluating context: in automated, open platforms, the practical risk is higher because user interaction happens at scale.
Frequently asked questions
Can this vulnerability be exploited remotely, or does it require local access?
It requires local access in the strict sense that MP4Box must run on the affected system. However, the barrier to exploitation is low: an attacker can distribute a malicious MP4 file via email, a file-sharing service, or a content upload platform, and rely on the target user or automated process to open it. The 'local' designation in CVSS means the attacker cannot trigger it over the network without a user's action, but in practice, social engineering or platform automation makes exploitation accessible.
Will upgrading to 26.02.0 break my existing MP4Box scripts or workflows?
Version 26.02.0 is a maintenance release focused on security and stability. No breaking changes to the command-line interface or core functionality are documented. However, test the upgrade in a non-production environment first to verify compatibility with your specific media files and processing pipelines, as audio or video codec support may have changed.
Are there workarounds if I cannot patch immediately?
Yes. Restrict MP4Box to process only media files from trusted sources, implement file validation to reject MP4s with suspicious Apple tag structures, run MP4Box in a sandboxed or containerized environment to limit the impact of crashes, and monitor system logs for segmentation faults. These are temporary mitigations and do not eliminate the risk.
Why is this not in the CISA KEV catalog?
KEV entries are added when there is evidence of active exploitation in the wild. As of the latest data, CVE-2025-60485 is not yet being weaponized or exploited by threat actors. This is an opportunity to patch proactively before the vulnerability becomes mainstream knowledge.
This analysis is provided for informational purposes and reflects information available as of the publication date. CVSS scores and patch version numbers are sourced from official vendor advisories and CVE records. Readers are responsible for verifying patch availability, compatibility, and applicability to their specific deployments. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and disclaims liability for damages arising from reliance on this information. Always consult official vendor documentation and conduct internal testing before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability
- CVE-2025-60495MEDIUMMP4Box Segmentation Fault DoS Vulnerability – Patching Guide
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-28581MEDIUMAndroid Emergency Call Logic Error Vulnerability
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)