GPAC MP4Box v2.4: 13 Memory-Safety CVEs Disclosed in Single-Day Batch
GPAC disclosed 13 medium-severity CVEs in MP4Box v2.4, all triggered by crafted MP4 files and spanning heap overflows, use-after-free, NULL pointer dereferences, and a floating-point exception.
Key findings
- 13 medium-severity CVEs disclosed together for GPAC MP4Box v2.4 on 2026-06-15
- Bug classes include heap buffer overflows, use-after-free, NULL pointer dereferences, stack overflow, and a floating-point exception
- All flaws are triggered by crafted MP4 files, enabling denial-of-service attacks
- CVE-2025-55642 (floating-point exception) is the highest-scored bug at CVSS 6.5
- Two use-after-free bugs (CVE-2025-55650, CVE-2025-55644) share the same vulnerable function gf_node_get_tag
- No patch released yet; users should watch the GPAC repository for v2.5
On 2026-06-15, the GPAC project disclosed a batch of 13 medium-severity vulnerabilities in MP4Box v2.4, the multimedia muxing/demuxing tool that ships with the GPAC framework. Every flaw is triggered by feeding MP4Box a specially crafted MP4 file, and all but one carry a CVSSv3 score of 5.5 (the outlier, CVE-2025-55642, scores 6.5). The cluster spans memory-corruption classes — heap buffer overflows, use-after-frees, NULL pointer dereferences, a stack overflow, a segmentation violation, and an out-of-memory condition — making this a broad stability risk for any pipeline that processes untrusted MP4 content through MP4Box.
Memory corruption in parsers and codec handlers
Several of the bugs live in the media-parsing layer. CVE-2025-55661 and CVE-2025-55648 are heap buffer overflows in the Opus audio stream parser (media_tools/av_parsers.c), while CVE-2025-55660 is a stack overflow in the same file's gf_opus_read_length function. CVE-2025-55652 hits a heap buffer overflow in gf_isom_vp_config_new (isomedia/avc_ext.c), which handles VP codec configuration records. CVE-2025-55663 triggers a segmentation violation in Track_SetStreamDescriptor (isomedia/track.c).
Use-after-free and NULL pointer dereferences
Two CVEs — CVE-2025-55650 and CVE-2025-55644 — are heap use-after-free bugs in the same function, gf_node_get_tag (scenegraph/base_scenegraph.c), suggesting a recurring weakness in the scenegraph tag-lookup path. Three NULL pointer dereferences were also disclosed: CVE-2025-55649 in gf_media_map_esd (media_tools/isom_tools.c), CVE-2025-55643 in the TrackWriter component (filters/mux_isom.c), and CVE-2025-55641 in gf_isom_copy_sample_info (isomedia/isom_write.c).
Muxer and DRM-layer flaws
The muxer filter (filters/mux_isom.c) is implicated in two additional issues: CVE-2025-55647, an out-of-memory condition in mp4_mux_cenc_insert_pssh, and CVE-2025-55643 (already noted above). The DRM sample-handling code in isomedia/drm_sample.c contains CVE-2025-55645, a heap buffer overflow in gf_cenc_set_pssh. Finally, CVE-2025-55642 is a floating-point exception in avidmx_process (isomedia/isom_write.c) — the only bug in the batch with a CVSS score of 6.5, reflecting a slightly higher availability impact.
Impact and patching
All 13 CVEs affect GPAC MP4Box v2.4. No evidence of in-the-wild exploitation has been reported at the time of disclosure. Because every vulnerability requires a crafted MP4 file as the attack vector, the primary risk is denial-of-service in automated media-processing workflows — transcoding pipelines, video-sharing platforms, or QA tools that ingest untrusted MP4 files. GPAC maintainers have not yet announced a patch release; users should monitor the GPAC Git repository for a v2.5 release that addresses this batch.
What to watch next
This disclosure is the latest in a steady stream of MP4Box CVEs from the GPAC project. The concentration of memory-safety bugs in a single version (v2.4) suggests that a focused fuzzing campaign — possibly by an external researcher — uncovered these issues. Users who rely on MP4Box for server-side media processing should treat any untrusted MP4 file as a potential crash vector until the fixes land.