CVE-2025-60495
Segmentation Violation in GPAC Project MP4Box
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | to 26.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60495 is a vulnerability in the GPAC Project's MP4Box tool, specifically in the function gf_media_get_color_info located in media_tools/isom_tools.c. The issue is a segmentation violation (segmentation fault) caused by a null pointer dereference when processing crafted MP4 files that contain invalid or unexpected video sample entries, such as a v210 entry incorrectly containing an AVC Decoder Configuration Box (avcC). This leads to a crash (Denial of Service) when the tool attempts to access invalid memory.
The vulnerability was fixed by adding null checks in the gf_media_get_color_info function to safely handle cases where AVC or HEVC configuration pointers are null, preventing the segmentation fault.
How can this vulnerability impact me? :
This vulnerability can cause the MP4Box tool to crash (Denial of Service) when processing specially crafted MP4 files. An attacker could exploit this by supplying malicious media files that trigger the segmentation fault, potentially disrupting services or workflows that rely on MP4Box for media processing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing crashes or segmentation faults in the GPAC MP4Box tool when processing crafted MP4 files, especially those containing malformed video sample entries with invalid AVC configuration data.
One way to reproduce or detect the issue is by running MP4Box with the `-split-size` command on suspicious or untrusted MP4 files and monitoring for crashes or segmentation faults.
For example, on a Linux system, you can run:
- mp4box -split-size <size> <file.mp4>
If the tool crashes with a segmentation fault (SEGV), it may indicate the presence of this vulnerability.
Additionally, using debugging tools like AddressSanitizer or running MP4Box under gdb can help confirm the crash location in the `gf_media_get_color_info` function.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update GPAC MP4Box to version 26.02.0 or later, where the vulnerability has been fixed by adding null pointer checks in the affected function.
If updating is not immediately possible, avoid processing untrusted or crafted MP4 files that could trigger the segmentation fault.
Monitoring and restricting the use of MP4Box on files from untrusted sources can reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.