GPAC MP4Box: Batch of Seven DoS Vulnerabilities Disclosed
Seven Denial of Service vulnerabilities were disclosed in GPAC MP4Box, with six impacting versions prior to 26.02.0 and one affecting v2.4.
Key findings
- Seven DoS vulnerabilities disclosed in GPAC MP4Box within a 24-hour window.
- Six GPAC MP4Box vulnerabilities patched in version 26.02.0.
- Vulnerabilities include segmentation violations, use-after-free, and NULL pointer dereferences.
- One DoS vulnerability affects GPAC MP4Box v2.4.
- One low-severity race condition vulnerability in Open5GS (CVE-2026-10565).
- One medium-severity improper authorization vulnerability in Dolibarr ERP CRM (CVE-2026-10215).
A cluster of seven Denial of Service (DoS) vulnerabilities affecting the GPAC MP4Box media framework was disclosed on June 1st and 2nd, 2026. These vulnerabilities, primarily discovered by security researchers and reported by various sources, highlight potential weaknesses in how MP4Box handles crafted media files. The majority of these issues were patched in version 26.02.0, with one specific vulnerability in MP4Box v2.4 also addressed.
The disclosed vulnerabilities predominantly stem from memory corruption issues within MP4Box, a widely used tool for manipulating multimedia files. These include segmentation violations, heap use-after-free errors, and NULL pointer dereferences. Attackers could exploit these flaws by supplying specially crafted media files, leading to application crashes and denial of service.
Specifically, CVE-2025-60495, CVE-2025-60486, CVE-2025-60485, CVE-2025-60483, and CVE-2025-60481 all relate to memory safety issues within MP4Box. CVE-2025-60495 and CVE-2025-60485 involve segmentation violations in functions related to color information and MP4 file writing, respectively. CVE-2025-60486 points to a heap use-after-free in the dasher_process function when handling MPEG-2 files. Meanwhile, CVE-2025-60483 and CVE-2025-60481 are NULL pointer dereferences occurring during the processing of AC4 audio files.
Another DoS vulnerability, CVE-2025-55664, was found in the m2tsdmx_send_packet function of GPAC MP4Box v2.4, also exploitable via crafted MP4 files. This indicates that even specific versions of the software can harbor distinct vulnerabilities.
While the primary impact of these vulnerabilities is Denial of Service, the underlying memory corruption could potentially lead to more severe consequences in different contexts. However, the current disclosures focus on the inability of the application to process malicious input without crashing.
It is important to note that one unrelated vulnerability, CVE-2026-10565, was also disclosed within the same 24-hour window. This low-severity flaw affects Open5GS up to version 2.7.6 and relates to a race condition in the GMM state security mode function, potentially exploitable remotely with high complexity.
Additionally, CVE-2026-10215, a medium-severity vulnerability in Dolibarr ERP CRM up to 23.0.1, was disclosed. This flaw in the Leave Request REST API component involves improper authorization and can be initiated remotely.
Users of GPAC MP4Box are strongly advised to update to version 26.02.0 or later to mitigate the seven DoS vulnerabilities. For Open5GS users, version 2.7.6 and earlier are affected by CVE-2026-10565. Dolibarr ERP CRM users should ensure they are on version 23.0.1 or later to address CVE-2026-10215. The coordinated disclosure of these vulnerabilities underscores the ongoing need for diligent security patching across various software components.