CVE-2025-60473
Received Received - Intake
NULL Pointer Dereference in GPAC MP4Box Before 26.02.0

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: MITRE

Description
A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2025-60473
EUVD
EUVD-2025-210334
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac mp4box 26.02.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60473 is a vulnerability in the GPAC multimedia framework, specifically in the function gf_filter_in_parent_chain within the file filter_core/filter_pid.c. The issue is caused by a missing validation check on a parent filter pointer before accessing its memory, which leads to a NULL pointer dereference. This occurs when processing Packet ID chains in MPEG-2 TS files, and can be triggered by supplying a crafted file. The vulnerability causes the application to crash due to attempting to read from an invalid memory location.

The root cause is that the code does not check if the pointer pidi->pid is NULL before accessing its filter member, which leads to a segmentation fault. A patch was made to add this null check to prevent the crash.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the GPAC/MP4Box application when it processes a specially crafted media file. The crash results from a NULL pointer dereference, which leads to a segmentation fault and termination of the program.

If you use GPAC or MP4Box to handle media files, an attacker could exploit this vulnerability by providing a maliciously crafted file that triggers the crash, potentially disrupting media processing workflows or services relying on this software.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash condition in the GPAC MP4Box application using a crafted file that triggers the NULL pointer dereference in the gf_filter_in_parent_chain function.

A specific command to reproduce the issue is:

  • ./MP4Box -info 36_gf_filter_in_parent_chain_filter_core_filter_pid_c_2145

When running this command with a malformed MPEG-2 TS file, the application crashes with segmentation faults and logs errors such as invalid sync markers, unsupported stream types, corrupted sections, and PCR discontinuities. Monitoring for these symptoms can help detect the vulnerability.

Mitigation Strategies

The immediate mitigation step is to apply the patch that adds a null check in the gf_filter_in_parent_chain function to prevent the NULL pointer dereference.

Specifically, the fix involves modifying the code to check if the pointer pidi->pid is non-null before accessing its filter member, as done in the commit b8d80b4.

Until the patch is applied, avoid processing untrusted or malformed MPEG-2 TS files with GPAC MP4Box to reduce the risk of triggering the denial of service.

Compliance Impact

The provided information about CVE-2025-60473 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60473. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart