CVE-2025-60483
Deferred Deferred - Pending Action
NULL Pointer Dereference in GPAC MP4Box via Malicious AC4 File

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: MITRE

Description
A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2025-60483
EUVD
EUVD-2025-210004
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gpac mp4box to 26.02.0 (exc)
gpac gpac From 2.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details on how CVE-2025-60483 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-60483 is a null pointer dereference vulnerability in the GPAC project's media_tools/av_parsers.c file, specifically in the function gf_ac4_pres_b_4_back_channels_present. This occurs when the software processes a crafted AC-4 audio stream that contains invalid substream group references. The parser fails to validate these references before accessing presentation data, leading to an attempt to access memory at an invalid address, causing a segmentation fault and crashing the application.

The root cause is improper input validation during AC-4 stream parsing, which allows attackers to supply maliciously crafted AC4 files that trigger this null pointer dereference and cause a Denial of Service (DoS).

Impact Analysis

This vulnerability can be exploited by attackers to cause a Denial of Service (DoS) condition by crashing the GPAC media processing application when it attempts to parse a specially crafted AC4 audio file. This crash results from a null pointer dereference, which leads to a segmentation fault and application termination.

As a result, any system or service relying on GPAC's MP4Box for media processing could be disrupted, potentially affecting availability and stability.

Detection Guidance

This vulnerability can be detected by attempting to process a crafted AC-4 audio stream that triggers the null pointer dereference in the GPAC MP4Box tool. A specific command to reproduce the crash is:

  • ./MP4Box -dash 100 49_gf_ac4_pres_b_4_back_channels_present_media_tools_av_parsers_c_15703

Running this command with a specially crafted AC-4 file causes the MP4Box process to crash due to invalid memory access, indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating GPAC to a version that contains the security fixes addressing this vulnerability.

  • Apply patches that add null pointer checks and improve bounds checking in the AC4 audio parsing code, as described in the GPAC project commit 13eb5b76560aaf7813b865a2ad433258478e2695.
  • Avoid processing untrusted or crafted AC-4 files with vulnerable versions of MP4Box.

These steps help prevent the null pointer dereference and potential denial of service caused by malicious AC-4 streams.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60483. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart