CVE-2025-60495: MP4Box Segmentation Fault DoS Vulnerability – Patching Guide
GPAC's MP4Box, a widely-used multimedia toolkit, contains a memory safety flaw in its color information parsing logic. When MP4Box processes a specially crafted media file, the vulnerable code attempts to access memory in an unsafe manner, causing the application to crash. An attacker with the ability to supply a malicious file to a user or system running MP4Box can trigger this denial of service. This is a local impact issue—it requires user interaction to open the file—but the barrier to exploitation is low.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-60495 is a null pointer dereference (CWE-476) in the gf_media_get_color_info function within /media_tools/isom_tools.c of GPAC Project/MP4Box versions prior to 26.02.0. The vulnerability manifests as a segmentation violation when the function processes color metadata from an ISO Base Media File Format (MP4) file without proper bounds or validity checking. An attacker-supplied crafted MP4 or similar container file containing malformed color information structures can dereference invalid memory, terminating the process. The issue is triggered during file parsing, making it reachable via any code path that invokes color metadata extraction.
Business impact
This vulnerability primarily affects availability. Organizations relying on MP4Box for automated media transcoding, ingestion, content delivery pipelines, or media analysis workflows face service interruptions if a single malicious file causes a crash. In high-volume or continuous processing environments—such as streaming platforms, broadcast facilities, or media storage appliances—an attacker could selectively target batch jobs or real-time workflows. The attack surface is proportional to how widely a system accepts untrusted media files from external sources. For most enterprises, impact is moderate unless MP4Box is core to a user-facing or production pipeline.
Affected systems
GPAC Project/MP4Box versions below 26.02.0 are vulnerable. MP4Box is commonly embedded in open-source and commercial media frameworks, transcoding solutions, and content management systems. The vulnerability affects any deployment processing media files from untrusted sources—including web applications accepting user uploads, media archives processing external submissions, and automation systems handling third-party content. Organizations using patched versions (26.02.0 and later) are not affected. Verify your specific version and integration points to assess exposure.
Exploitability
Exploitation requires local file system access or the ability to supply a crafted media file to a system running the vulnerable MP4Box version. There is no network attack vector; the vulnerability cannot be triggered remotely unless the target system exposes a service that accepts and processes media files (e.g., a web application). User interaction is necessary—someone must initiate file processing. Attack complexity is low; creating a malformed MP4 file is straightforward and does not require specialized knowledge. Once delivered, exploitation is reliable and causes immediate denial of service. This is not included in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation has been observed as of the publication date.
Remediation
Upgrade GPAC Project/MP4Box to version 26.02.0 or later. This patch addresses the null pointer dereference in the color information parsing function. For organizations unable to upgrade immediately, implement input validation and file filtering to reject or quarantine suspicious media files. Consider running MP4Box processes with reduced privileges, in containers, or sandboxed environments to limit damage from process crashes. Monitor logs for segmentation faults or unexpected MP4Box terminations as indicators of exploitation attempts.
Patch guidance
Apply the GPAC Project/MP4Box update to version 26.02.0 or later as soon as possible in your development and production environments. Verify the patch through the official GPAC repository or your distribution vendor. Test the patch in a non-production environment first to ensure compatibility with your specific media workflows and integrations. If MP4Box is vendored or embedded in a commercial product, check with your vendor for a patched release; patching timelines may differ.
Detection guidance
Monitor for segmentation faults (SIGSEGV) or abnormal terminations of MP4Box processes, particularly those handling media files from untrusted sources. Implement file integrity and reputation checks to identify malicious or anomalous media files before processing. Review access logs for attempts to upload or submit media files to systems running older MP4Box versions. In automated environments, log the exit codes and error messages of media processing tasks; a crash with a segmentation violation may indicate exploitation. Network-based detection is limited; focus on endpoint and application-level monitoring.
Why prioritize this
Although CVSS rates this as MEDIUM (5.5), prioritize patching based on your media processing footprint. If MP4Box is used in production transcoding, web uploads, or content pipelines, the impact of unexpected service restarts can be significant. The attack surface depends on whether your systems accept media from untrusted sources; if they do, this should be addressed promptly. The fix is straightforward and low-risk, making this an ideal candidate for early patching. Organizations with isolated or offline MP4Box deployments may deprioritize but should still plan an update cycle.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector, low complexity, and high impact on availability with no confidentiality or integrity concerns. The presence of user interaction (file opening) prevents a higher score. In real-world context, risk is elevated for organizations processing high volumes of external media; the actual risk to your organization depends on your specific workflows and trust boundaries around media file sources.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. The vulnerability requires local file access or the ability to supply a file to a system running MP4Box. There is no remote code execution or network-based trigger. However, if your system exposes a web service that accepts and processes media uploads, an attacker can indirectly trigger the vulnerability by uploading a malicious file.
What versions of MP4Box are affected?
All versions prior to 26.02.0 are vulnerable. Verify your installed version using the appropriate command or package manager. If you are using MP4Box as a dependency in a larger application or framework, check that the dependency version is 26.02.0 or later.
Is there an exploit or proof-of-concept publicly available?
As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no widespread public exploit has been reported. This does not guarantee future safety; assume that crafted media files capable of triggering the vulnerability can be generated.
What is the impact on confidentiality and integrity?
None. This is a denial-of-service vulnerability only. It causes the MP4Box process to crash but does not leak sensitive data, corrupt files, or allow code execution. The risk is service unavailability, not data exposure or compromise.
This analysis is provided for informational purposes and reflects the state of the vulnerability as of the publication date. Verify all technical details, patch versions, and affected systems against official vendor advisories and your own security assessments. SEC.co does not guarantee the completeness or real-time accuracy of this information. Organizations must conduct their own risk assessment based on their specific systems, configurations, and threat environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-60481MEDIUMGPAC MP4Box NULL Pointer DoS Vulnerability (v26.02.0 Patch)
- CVE-2025-60483MEDIUMMP4Box AC4 Parser NULL Pointer DoS Vulnerability
- CVE-2025-60485MEDIUMMP4Box Segmentation Fault DoS Vulnerability (GPAC < 26.02.0)
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-28581MEDIUMAndroid Emergency Call Logic Error Vulnerability
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)