CVE-2025-55648
Analyzed Analyzed - Analysis Complete

Heap Buffer Overflow in GPAC MP4Box

Vulnerability report for CVE-2025-55648, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

A heap buffer overflow in the gf_opus_parse_packet_header function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 26.02.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by analyzing the behavior of GPAC MP4Box when processing MP4 files, especially crafted files containing corrupted sample-size (stsz) data for an Opus track.

AddressSanitizer was used to detect the heap buffer overflow, reporting errors during parsing in the gf_opus_parse_packet_header function.

To detect the vulnerability on your system, you can run MP4Box with AddressSanitizer enabled on suspicious or untrusted MP4 files to observe any heap buffer overflow errors.

  • Compile GPAC MP4Box with AddressSanitizer enabled (e.g., using GCC or Clang with -fsanitize=address).
  • Run a command like: `ASAN_OPTIONS=detect_leaks=0 ./MP4Box -info crafted_file.mp4` to trigger parsing and detect memory errors.
  • Monitor logs or AddressSanitizer output for heap buffer overflow reports related to gf_opus_parse_packet_header.
Mitigation Strategies

To mitigate this vulnerability, you should avoid processing untrusted or crafted MP4 files with vulnerable versions of GPAC MP4Box.

Update GPAC MP4Box to a version that includes the fix for this vulnerability, specifically versions including or after the commit `61bbfd2e89553373ba3449b8ec05b5f098d732a5`.

If an immediate update is not possible, consider restricting access to MP4Box or sandboxing its execution to limit potential damage from Denial of Service attacks.

  • Do not open or process MP4 files from untrusted sources until patched.
  • Apply the official patch or upgrade to a fixed version of GPAC MP4Box.
  • Use runtime protections such as AddressSanitizer during testing to detect exploitation attempts.
Executive Summary

This vulnerability is a heap buffer overflow found in the function gf_opus_parse_packet_header within the media_tools/av_parsers.c file of GPAC MP4Box version 2.4. It occurs when the software processes a specially crafted MP4 file, which can cause the program to behave unexpectedly.

Specifically, the overflow happens in the heap memory area, which can lead to memory corruption.

Impact Analysis

An attacker exploiting this vulnerability can cause a Denial of Service (DoS) condition by supplying a crafted MP4 file to GPAC MP4Box v2.4. This means the application may crash or become unresponsive, disrupting normal operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart