CVE-2025-60481
Deferred Deferred - Pending Action
NULL Pointer Dereference in GPAC MP4Box via AC4 File

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: MITRE

Description
A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2025-60481
EUVD
EUVD-2025-210003
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac mp4box to 26.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60481 is a null pointer dereference vulnerability in the GPAC project's AC-4 audio descriptor parsing function named gf_odf_ac4_cfg_dsi_v1, located in the file odf/descriptors.c. This vulnerability occurs when the function processes a specially crafted AC-4 audio file that contains invalid or malicious data. The code fails to properly check pointers before accessing substructures, leading to a segmentation fault or crash due to reading memory at a null address.

This issue allows attackers to cause a Denial of Service (DoS) by supplying a crafted AC-4 file to the MP4Box tool in the GPAC project, which triggers the null pointer dereference and crashes the application.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition. An attacker can exploit this by providing a maliciously crafted AC-4 audio file to the GPAC MP4Box tool, causing it to crash due to a null pointer dereference.

This crash can disrupt normal operations, potentially causing service interruptions or application instability in environments that process AC-4 audio streams using vulnerable versions of GPAC.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in the GPAC MP4Box tool when processing AC-4 audio files, especially those that are malformed or crafted maliciously.

Using debugging or sanitizing tools such as AddressSanitizer can help identify null pointer dereferences triggered by crafted AC-4 files.

A practical approach is to test suspicious AC-4 files with MP4Box and observe if it crashes or produces AddressSanitizer errors indicating null pointer dereferences.

Example command to test a file for triggering the vulnerability:

  • Run MP4Box on a suspicious AC-4 file: `MP4Box -info crafted_ac4_file.ac4`
  • Run MP4Box under AddressSanitizer or similar memory error detection tools to catch null pointer dereferences.
Mitigation Strategies

The immediate mitigation step is to update GPAC/MP4Box to a version that includes the fix for this vulnerability.

The vulnerability was fixed by adding null checks, bounds checking, and improved error handling in the AC-4 parser as per the commit addressing fuzzing-related issues.

If updating is not immediately possible, avoid processing untrusted or suspicious AC-4 files with MP4Box to prevent denial of service.

Monitor for updates or patches from the GPAC project and apply them as soon as they become available.

Compliance Impact

There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60481. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart