VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2025-55644

CVE-2025-55644

Description

CVE-2025-55644: heap use-after-free in GPAC MP4Box v2.4's gf_node_get_tag via crafted MP4 with invalid BIFS GlobalQuantizer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-55644: heap use-after-free in GPAC MP4Box v2.4's gf_node_get_tag via crafted MP4 with invalid BIFS GlobalQuantizer.

Vulnerability

A heap use-after-free vulnerability exists in GPAC MP4Box v2.4 in the gf_node_get_tag function within scenegraph/base_scenegraph.c [1]. When processing a crafted MP4 file containing an invalid BIFS GlobalQuantizer command, BM_ParseGlobalQuantizer() in bifs/memory_decoder.c calls gf_node_unregister() to release a 192-byte QuantizationParameter node, but the freed pointer is not cleared. Subsequently, gf_node_get_tag() is called on this freed pointer, leading to a use-after-free condition [1].

Exploitation

An attacker must supply a crafted MP4 file that includes an invalid BIFS GlobalQuantizer command. No authentication is required, and the attack vector is via network (the file can be delivered remotely). The user needs to open the malicious file with MP4Box (e.g., using the -info or dump functionality). The attack does not require special privileges, but does require user interaction to load the file [1].

Impact

Successful exploitation can cause a Denial of Service (DoS) due to the application reading from or writing to freed heap memory. The CVSS v3.1 base score is 4.3 (Medium) with no impact on confidentiality or integrity, but limited availability impact [1]. The vulnerability does not lead to privilege escalation or remote code execution based on available details.

Mitigation

The official GPAC repository includes a fix committed in commit f5b7cdc63a7f3269040778c5431a8f6c310bc9f3 [1]. Users should update to a version of GPAC that includes this fix. No workaround is documented; if a fixed version is unavailable, avoid opening untrusted MP4 files with MP4Box.

References
  1. security - CVE-2025-55644: Use-After-Free in GPAC/MP4Box via gf_node_get_tag on crafted MP4 file with invalid BIFS GlobalQuantizer command

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free: BM_ParseGlobalQuantizer() frees a QuantizationParameter node via gf_node_unregister() but does not clear the pointer, then calls gf_node_get_tag() on the freed memory."

Attack vector

An attacker supplies a crafted MP4 file with an invalid BIFS GlobalQuantizer command. When MP4Box decodes the BIFS command list during an `-svg` scene dump, `BM_ParseGlobalQuantizer()` frees a QuantizationParameter node without clearing the pointer, then reads from the freed memory via `gf_node_get_tag()`. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1]. The CVSS vector in the bundle is `AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H`, indicating local access and user interaction are required.

Affected code

The vulnerability resides in `BM_ParseGlobalQuantizer()` in `bifs/memory_decoder.c` and `gf_node_get_tag()` in `scenegraph/base_scenegraph.c`. When a crafted MP4 file contains an invalid BIFS GlobalQuantizer command, `BM_ParseGlobalQuantizer()` calls `gf_node_unregister()` to free a QuantizationParameter node but does not clear the stale pointer, then calls `gf_node_get_tag()` on the freed pointer, causing a heap-use-after-free READ [ref_id=1].

What the fix does

The fix commit `f5b7cdc63a7f3269040778c5431a8f6c310bc9f3` (referenced in the advisory) addresses the use-after-free by ensuring the stale pointer is cleared after `gf_node_unregister()` frees the QuantizationParameter node, preventing the subsequent `gf_node_get_tag()` call from reading freed heap memory [ref_id=1]. Without this fix, the dangling pointer leads to a heap-use-after-free READ that can crash the application.

Preconditions

  • inputAttacker must provide a crafted MP4 file with an invalid BIFS GlobalQuantizer command
  • inputUser must run MP4Box with the `-svg` option on the crafted file
  • authNo authentication or special privileges required beyond file access

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.