CVE-2025-55641
Description
A NULL pointer dereference in GPAC MP4Box v2.4's gf_isom_copy_sample_info allows DoS via crafted MP4 with corrupt SAI metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in GPAC MP4Box v2.4's gf_isom_copy_sample_info allows DoS via crafted MP4 with corrupt SAI metadata.
Vulnerability
A NULL pointer dereference vulnerability exists in the gf_isom_copy_sample_info function within isomedia/isom_write.c of GPAC MP4Box v2.4. The bug is triggered when MP4Box processes a crafted MP4 file containing corrupted Sample Auxiliary Information (SAI) metadata, such as an invalid sai_samples count. The insufficient pointer validation after a failure in SAI merge handling leads to a null read, resulting in a crash. Affected versions are GPAC/MP4Box prior to the fix commit f87b30611380e4dcd03cd4dd9ac553c0ec336826 [1].
Exploitation
An attacker can exploit this vulnerability by crafting an MP4 file with malicious SAI metadata (e.g., an invalid sai_samples count). The attacker does not require authentication or prior access; the only user interaction needed is for the victim to open or process the crafted file with GPAC MP4Box [1]. The vulnerability is triggered during the import operation, specifically when gf_isom_copy_sample_info attempts to read from a pointer that was not validated after a failed SAI merge.
Impact
Successful exploitation causes a denial of service (DoS) due to a segmentation fault (SEGV) as reported by AddressSanitizer, corresponding to a read memory access at address 0x0 [1]. The impact is limited to availability; there is no disclosed information disclosure, data modification, or privilege escalation. The CVSS v3.1 base score is 4.3 (Medium) with the vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L [1].
Mitigation
The vulnerability is fixed in GPAC commit f87b30611380e4dcd03cd4dd9ac553c0ec336826 [1]. Users should update GPAC to a version that includes this patch or later. No workarounds are provided in the available references; the recommended action is to avoid processing untrusted MP4 files with affected versions until the update is applied.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing pointer validation in gf_isom_copy_sample_info after SAI merge handling fails, leading to NULL pointer dereference."
Attack vector
An attacker supplies a crafted MP4 file containing corrupted Sample Auxiliary Information (SAI) metadata, such as an invalid `sai_samples` count [ref_id=1]. When MP4Box imports this file with a command like `./MP4Box -add crafted.mp4 -new /dev/null -split-size 500`, the function `gf_isom_copy_sample_info` does not sufficiently validate pointers after the SAI merge handling fails, leading to a NULL pointer dereference [ref_id=1]. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].
Affected code
The vulnerable function is `gf_isom_copy_sample_info` in `isomedia/isom_write.c` at line 8164. The crash is reached via `gf_import_isomedia_track` in `media_tools/media_import.c:708` during a split-size operation [ref_id=1].
What the fix does
The advisory states the fix is in commit `f87b30611380e4dcd03cd4dd9ac553c0ec336826` [ref_id=1]. No patch diff is provided in the bundle, but the fix is expected to add pointer validation in `gf_isom_copy_sample_info` after SAI merge handling, preventing the NULL pointer dereference when corrupted SAI metadata is encountered [ref_id=1].
Preconditions
- inputAttacker must provide a crafted MP4 file with corrupted Sample Auxiliary Information (SAI) metadata
- configVictim must run MP4Box with the crafted file as input (e.g., using -add and -split-size flags)
Reproduction
Build GPAC with address sanitizer: `CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"`. Run: `./MP4Box -add 13_poc.mp4 -new /dev/null -split-size 500` using the PoC file from `https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/13/13_poc.mp4` [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.