CVE-2025-55643
Description
NULL pointer dereference in GPAC MP4Box v2.4 TrackWriter allows denial of service via crafted MP4 file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NULL pointer dereference in GPAC MP4Box v2.4 TrackWriter allows denial of service via crafted MP4 file.
Vulnerability
A NULL pointer dereference vulnerability exists in the TrackWriter handling component of GPAC MP4Box v2.4, specifically in the file filters/mux_isom.c. When processing a crafted MP4 file with malformed metadata boxes (such as mvcC or stsz containing extra bytes), the PID-to-track setup can fail, leaving the TrackWriter pointer NULL. This issue affects GPAC versions prior to the fix commit 74fecde32cd477ab097f3e6db55a32b259f3313d [1].
Exploitation
To exploit this vulnerability, an attacker must supply a specially crafted MP4 file with malformed mvcC or stsz boxes. The victim must then use MP4Box to perform DASH segmentation on the file. No authentication is required, but user interaction is necessary (the victim must open the malicious file). The attack sequence involves the malformed metadata causing the PID-to-track setup to fail, resulting in a NULL TrackWriter pointer during fragmented MP4 muxing [1].
Impact
Successful exploitation leads to a NULL pointer dereference, causing the application to crash. This results in a denial of service (DoS) condition. There is no impact on confidentiality or integrity; only availability is affected [1].
Mitigation
The vulnerability is fixed in commit 74fecde32cd477ab097f3e6db55a32b259f3313d. Users should update their GPAC installation to a version that includes this fix. If updating is not immediately possible, avoid processing untrusted MP4 files with MP4Box for DASH segmentation. No other workarounds are mentioned in the reference [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NULL pointer check on the TrackWriter pointer in filters/mux_isom.c after a failed PID-to-track setup allows a NULL dereference."
Attack vector
An attacker supplies a crafted MP4 file with malformed metadata boxes (e.g., `mvcC` or `stsz` with extra bytes) to MP4Box. When MP4Box runs a DASH segmentation command (`-dash 10000`), the PID-to-track setup fails, leaving a `TrackWriter` pointer NULL. The subsequent member access on this NULL pointer triggers a crash, causing a denial of service. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].
Affected code
The vulnerability resides in `filters/mux_isom.c` at line 6621, where the `TrackWriter` pointer is dereferenced without a NULL check. The crash occurs during DASH segmentation when malformed `mvcC` or `stsz` boxes cause the PID-to-track setup in the muxer to fail, leaving the `TrackWriter` pointer NULL.
What the fix does
The fix commit (74fecde32cd477ab097f3e6db55a32b259f3313d) is referenced but its diff is not included in the bundle. Based on the advisory, the patch likely adds a NULL check before the `TrackWriter` member access in `filters/mux_isom.c:6621`, preventing the dereference when the PID-to-track setup fails. Without the patch, the code unconditionally accesses the `TrackWriter` pointer even when it was never assigned.
Preconditions
- inputAttacker must provide a crafted MP4 file with malformed mvcC or stsz boxes.
- configMP4Box must be invoked with the `-dash` flag (e.g., `-dash 10000`).
Reproduction
1. Build GPAC with `CC="gcc -fsanitize=address,undefined -g" CXX="g++ -fsanitize=address,undefined -g"`. 2. Run `./MP4Box -dash 10000 ./17_poc.mp4`. 3. Observe the UBSan error: `filters/mux_isom.c:6621:35: runtime error: member access within null pointer of type 'struct TrackWriter'` [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.