CVE-2025-55639
Received Received - Intake
NULL Pointer Dereference in GPAC MP4Box via MP4 File

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2025-55639
EUVD
EUVD-2025-210311
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac mp4box 2.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-55639 is a NULL pointer dereference vulnerability found in the GPAC MP4Box tool version 2.4, specifically in the function gf_isom_add_track_kind() located in the file isomedia/isom_write.c.

This vulnerability occurs when the function processes specially crafted MP4 files containing MPEG-H Audio tracks and fails to properly validate the 'kind' parameter before passing it to the strdup() function. This leads to a NULL pointer dereference, causing the program to crash with a segmentation fault.

An attacker can exploit this by providing a malicious MP4 file that triggers this condition, resulting in a Denial of Service (DoS) due to the crash.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause the GPAC MP4Box application to crash when processing a specially crafted MP4 file, leading to a Denial of Service (DoS).

If you use GPAC MP4Box in your media processing workflows, an attacker could exploit this flaw to disrupt your service or application by causing it to terminate unexpectedly.

Detection Guidance

This vulnerability can be detected by testing the GPAC MP4Box tool with specially crafted MP4 files that trigger the NULL pointer dereference in the gf_isom_add_track_kind() function.

One practical approach is to use a proof-of-concept (PoC) MP4 file designed to cause the crash, such as the '23_poc.mp4' file referenced in the resources.

To detect the vulnerability, you can run MP4Box on the crafted MP4 file and observe if it crashes with a segmentation fault or AddressSanitizer reports a SEGV error.

  • Command example to test the vulnerability: mp4box -add 23_poc.mp4 output.mp4
  • Monitor for crashes or segmentation faults during processing.
Mitigation Strategies

The immediate mitigation step is to update GPAC MP4Box to a version that includes the patch fixing the NULL pointer dereference.

The fix involves adding a null check in the gf_isom_add_track_kind() function to prevent dereferencing a null pointer, as implemented in the commit referenced.

  • Apply the patch from commit 027ce139dda498ee95df36db9f9f6f3cadce8ec9 or upgrade to a version of GPAC containing this fix.
  • Avoid processing untrusted or suspicious MP4 files until the patch is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart