CVE-2025-55664
Heap Buffer Overflow in GPAC MP4Box
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | 2.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2025-55664 is a heap buffer overflow that can cause a Denial of Service (DoS) in GPAC MP4Box when processing crafted MP4 files. It does not involve unauthorized access to sensitive data or data breaches.
Since the vulnerability impacts availability by causing DoS but does not affect confidentiality or integrity of data, its direct impact on compliance with standards like GDPR or HIPAAβwhich focus heavily on data protection and privacyβis limited.
However, any denial of service could indirectly affect compliance if it disrupts critical services or availability requirements mandated by such regulations.
Can you explain this vulnerability to me?
CVE-2025-55664 is a heap buffer overflow vulnerability in the m2tsdmx_send_packet function of GPAC MP4Box version 2.4. This function is part of the MPEG-2 Transport Stream demuxer located in filters/dmx_m2ts.c. The vulnerability occurs when the software processes a maliciously crafted MPEG-2 TS file with corrupted packet structures. Specifically, the demuxer does not properly validate the size of data before performing memory copy operations, which can cause an out-of-bounds read or write on the heap.
An attacker can exploit this by supplying a specially crafted MP4 or MPEG-2 TS file that triggers the heap buffer overflow, potentially leading to memory corruption or crashes.
The issue was fixed by adding boundary checks to ensure that packets with insufficient length are not processed, preventing the overflow.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a Denial of Service (DoS) condition on systems running GPAC MP4Box v2.4 by crashing the application through heap memory corruption.
In more severe cases, the heap buffer overflow could potentially be exploited to execute arbitrary code, leading to a compromise of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the processing of MPEG-2 Transport Stream (TS) files by GPAC's MP4Box tool, specifically looking for heap buffer overflow issues in the m2tsdmx_send_packet function.
One practical approach is to use AddressSanitizer or similar memory error detection tools to run GPAC MP4Box against suspicious or crafted TS files to detect heap overflows.
For example, you can run a command like:
- ASAN_OPTIONS=detect_leaks=1 mp4box -add suspicious_file.ts output.mp4
This will help detect memory corruption issues triggered by malformed TS files.
Additionally, monitoring logs or crashes related to GPAC MP4Box when processing MPEG-2 TS files can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update GPAC MP4Box to a version that includes the fix for CVE-2025-55664.
The fix involves adding boundary checks in the m2tsdmx_send_packet function to prevent processing of packets with insufficient length, thereby avoiding heap buffer overflows.
If updating is not immediately possible, avoid processing untrusted or suspicious MPEG-2 TS files with GPAC MP4Box.
Monitoring and restricting input files to trusted sources can reduce the risk of exploitation.