CVE-2025-60485
Deferred Deferred - Pending Action
Segmentation Violation in GPAC MP4Box via Crafted MP4 File

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: MITRE

Description
A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2025-60485
EUVD
EUVD-2025-210005
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac mp4box to 26.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details on how the segmentation violation vulnerability in GPAC Project/MP4Box affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-60485 is a segmentation fault vulnerability in the GPAC project's MP4Box tool, specifically in the function gf_isom_apple_set_tag_ex located in the isomedia/isom_write.c file. This vulnerability occurs when MP4Box processes a crafted or corrupted MP4 file containing invalid or incomplete descriptors (such as corrupted "esds" boxes). The function does not properly validate pointers before accessing memory, leading to a null pointer dereference and causing the program to crash.

This crash results in a Denial of Service (DoS) condition, where the MP4Box tool becomes unusable or stops functioning correctly when handling such maliciously crafted MP4 files.

Impact Analysis

This vulnerability can impact users by causing a Denial of Service (DoS) when processing specially crafted MP4 files with the vulnerable version of MP4Box. An attacker can supply a malicious MP4 file that triggers a segmentation fault, crashing the application and potentially disrupting workflows or automated processes that rely on MP4Box for media file handling.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash using a crafted MP4 file that triggers the segmentation fault in the GPAC MP4Box tool. Specifically, the crash occurs when processing corrupted MP4 files containing invalid descriptors or incomplete box structures.

A known test file named `52_gf_isom_apple_set_tag_ex_isomedia_isom_write_c_6309` can be used to trigger the issue.

The following command was used to reproduce the crash on a Kali Linux system:

  • ./MP4Box -splitf 30:60 52_gf_isom_apple_set_tag_ex_isomedia_isom_write_c_6309

Using AddressSanitizer or similar memory error detection tools can help identify the segmentation violation caused by null pointer dereference.

Mitigation Strategies

Immediate mitigation involves updating GPAC MP4Box to a version that includes the fix for this vulnerability.

The fix includes adding null pointer checks in the vulnerable function to prevent crashes when processing crafted MP4 files.

If updating is not immediately possible, avoid processing untrusted or potentially corrupted MP4 files with GPAC MP4Box to reduce the risk of denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart