CVE-2025-60483
NULL Pointer Dereference in GPAC MP4Box via Malicious AC4 File
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | to 26.02.0 (exc) |
| gpac | gpac | From 2.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details on how CVE-2025-60483 impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-60483 is a null pointer dereference vulnerability in the GPAC project's media_tools/av_parsers.c file, specifically in the function gf_ac4_pres_b_4_back_channels_present. This occurs when the software processes a crafted AC-4 audio stream that contains invalid substream group references. The parser fails to validate these references before accessing presentation data, leading to an attempt to access memory at an invalid address, causing a segmentation fault and crashing the application.
The root cause is improper input validation during AC-4 stream parsing, which allows attackers to supply maliciously crafted AC4 files that trigger this null pointer dereference and cause a Denial of Service (DoS).
How can this vulnerability impact me? :
This vulnerability can be exploited by attackers to cause a Denial of Service (DoS) condition by crashing the GPAC media processing application when it attempts to parse a specially crafted AC4 audio file. This crash results from a null pointer dereference, which leads to a segmentation fault and application termination.
As a result, any system or service relying on GPAC's MP4Box for media processing could be disrupted, potentially affecting availability and stability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to process a crafted AC-4 audio stream that triggers the null pointer dereference in the GPAC MP4Box tool. A specific command to reproduce the crash is:
- ./MP4Box -dash 100 49_gf_ac4_pres_b_4_back_channels_present_media_tools_av_parsers_c_15703
Running this command with a specially crafted AC-4 file causes the MP4Box process to crash due to invalid memory access, indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating GPAC to a version that contains the security fixes addressing this vulnerability.
- Apply patches that add null pointer checks and improve bounds checking in the AC4 audio parsing code, as described in the GPAC project commit 13eb5b76560aaf7813b865a2ad433258478e2695.
- Avoid processing untrusted or crafted AC-4 files with vulnerable versions of MP4Box.
These steps help prevent the null pointer dereference and potential denial of service caused by malicious AC-4 streams.