CVE-2025-70116
NULL Pointer Dereference in GPAC MP4Box
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70116 is a vulnerability in GPAC's MP4Box tool where processing certain malformed or truncated MP4 files leads to a crash due to a NULL pointer dereference.
Specifically, when MP4Box parses an invalid or unknown 'stsd' entry missing descriptor fields such as codec, mime, or profile strings, the function gf_media_map_esd calls strlen() on a NULL pointer. This causes a segmentation fault (SEGV) and crashes the program.
The issue arises from improper handling of corrupted media files, leading to invalid memory access and program termination.
How can this vulnerability impact me? :
This vulnerability can cause the MP4Box tool to crash when processing certain malformed or truncated MP4 files.
The crash results from a NULL pointer dereference, which leads to a denial-of-service (DoS) condition by terminating the application unexpectedly.
If MP4Box is used in automated media processing pipelines or services, this could disrupt operations or be exploited by attackers to cause service interruptions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by processing potentially malformed or truncated MP4 files with GPAC's MP4Box tool and observing if it crashes due to a segmentation fault (SEGV) in the function gf_media_map_esd.
A practical detection method involves running MP4Box on suspicious MP4 files, especially those with invalid or missing descriptor fields in the stsd box (such as missing codec, mime, or profile strings). If the tool crashes with an AddressSanitizer SEGV error related to a null pointer dereference, the vulnerability is triggered.
For example, on a Kali Linux system with MP4Box built with AddressSanitizer, you can run a command like:
- mp4box -info suspicious_file.mp4
If the program crashes with a segmentation fault referencing gf_media_map_esd or reports a null pointer dereference, this indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of GPAC's MP4Box tool on untrusted or malformed MP4 files that could trigger the null pointer dereference and cause a crash.
Additionally, ensure that MP4 files are validated or sanitized before processing with MP4Box to prevent malformed descriptor fields in the stsd box.
If available, update GPAC MP4Box to a version that includes a fix for this vulnerability once released.
In environments where MP4Box is used in automated workflows, consider adding input validation or sandboxing to limit the impact of potential crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GPAC MP4Box causes a NULL pointer dereference leading to a crash when processing certain malformed MP4 files. This results in a denial-of-service condition due to improper handling of corrupted media files.
There is no information provided in the available resources or CVE description about the impact of this vulnerability on compliance with common standards or regulations such as GDPR or HIPAA.