CVE-2025-60481
NULL Pointer Dereference in GPAC MP4Box via AC4 File
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | to 26.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60481 is a null pointer dereference vulnerability in the GPAC project's AC-4 audio descriptor parsing function named gf_odf_ac4_cfg_dsi_v1, located in the file odf/descriptors.c. This vulnerability occurs when the function processes a specially crafted AC-4 audio file that contains invalid or malicious data. The code fails to properly check pointers before accessing substructures, leading to a segmentation fault or crash due to reading memory at a null address.
This issue allows attackers to cause a Denial of Service (DoS) by supplying a crafted AC-4 file to the MP4Box tool in the GPAC project, which triggers the null pointer dereference and crashes the application.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update GPAC/MP4Box to a version that includes the fix for this vulnerability.
The vulnerability was fixed by adding null checks, bounds checking, and improved error handling in the AC-4 parser as per the commit addressing fuzzing-related issues.
If updating is not immediately possible, avoid processing untrusted or suspicious AC-4 files with MP4Box to prevent denial of service.
Monitor for updates or patches from the GPAC project and apply them as soon as they become available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a Denial of Service (DoS) condition. An attacker can exploit this by providing a maliciously crafted AC-4 audio file to the GPAC MP4Box tool, causing it to crash due to a null pointer dereference.
This crash can disrupt normal operations, potentially causing service interruptions or application instability in environments that process AC-4 audio streams using vulnerable versions of GPAC.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in the GPAC MP4Box tool when processing AC-4 audio files, especially those that are malformed or crafted maliciously.
Using debugging or sanitizing tools such as AddressSanitizer can help identify null pointer dereferences triggered by crafted AC-4 files.
A practical approach is to test suspicious AC-4 files with MP4Box and observe if it crashes or produces AddressSanitizer errors indicating null pointer dereferences.
Example command to test a file for triggering the vulnerability:
- Run MP4Box on a suspicious AC-4 file: `MP4Box -info crafted_ac4_file.ac4`
- Run MP4Box under AddressSanitizer or similar memory error detection tools to catch null pointer dereferences.