CVE-2025-60483
Deferred Deferred - Pending Action

NULL Pointer Dereference in GPAC MP4Box via Malicious AC4 File

Vulnerability report for CVE-2025-60483, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: MITRE

Description

A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-07-12
AI Q&A
2026-06-01
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gpac mp4box to 26.02.0 (exc)
gpac gpac From 2.5.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-60483 is a null pointer dereference vulnerability in the GPAC project's media_tools/av_parsers.c file, specifically in the function gf_ac4_pres_b_4_back_channels_present. This occurs when the software processes a crafted AC-4 audio stream that contains invalid substream group references. The parser fails to validate these references before accessing presentation data, leading to an attempt to access memory at an invalid address, causing a segmentation fault and crashing the application.

The root cause is improper input validation during AC-4 stream parsing, which allows attackers to supply maliciously crafted AC4 files that trigger this null pointer dereference and cause a Denial of Service (DoS).

Compliance Impact

The provided information does not include any details on how CVE-2025-60483 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can be exploited by attackers to cause a Denial of Service (DoS) condition by crashing the GPAC media processing application when it attempts to parse a specially crafted AC4 audio file. This crash results from a null pointer dereference, which leads to a segmentation fault and application termination.

As a result, any system or service relying on GPAC's MP4Box for media processing could be disrupted, potentially affecting availability and stability.

Detection Guidance

This vulnerability can be detected by attempting to process a crafted AC-4 audio stream that triggers the null pointer dereference in the GPAC MP4Box tool. A specific command to reproduce the crash is:

  • ./MP4Box -dash 100 49_gf_ac4_pres_b_4_back_channels_present_media_tools_av_parsers_c_15703

Running this command with a specially crafted AC-4 file causes the MP4Box process to crash due to invalid memory access, indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include updating GPAC to a version that contains the security fixes addressing this vulnerability.

  • Apply patches that add null pointer checks and improve bounds checking in the AC4 audio parsing code, as described in the GPAC project commit 13eb5b76560aaf7813b865a2ad433258478e2695.
  • Avoid processing untrusted or crafted AC-4 files with vulnerable versions of MP4Box.

These steps help prevent the null pointer dereference and potential denial of service caused by malicious AC-4 streams.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60483. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart