CVE-2025-55645
Description
A heap buffer overflow in GPAC MP4Box v2.4 via gf_cenc_set_pssh allows denial of service after processing a crafted MP4 file with an oversized PSSH payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in GPAC MP4Box v2.4 via gf_cenc_set_pssh allows denial of service after processing a crafted MP4 file with an oversized PSSH payload.
Vulnerability
A heap buffer overflow exists in the gf_cenc_set_pssh function in isomedia/drm_sample.c of GPAC MP4Box v2.4. The vulnerability occurs when the function does not validate the declared PSSH payload size before copying it into a fixed-size heap buffer. This allows an attacker to cause a heap-buffer-overflow read via memcpy() when processing a crafted MP4 file containing malformed Protection System Specific Header (PSSH) data. Affected versions are GPAC versions prior to the fix commit e95f3064d846e4606276fff111e0f97df1576a04 [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted MP4 file with an oversized PSSH payload. The attack requires no authentication or user interaction beyond having the victim open the malicious file with MP4Box (e.g., via a command-line invocation or a web service that processes MP4 files). The vulnerability is reachable over the network if the attacker can deliver the file to the processing system [1].
Impact
Successful exploitation leads to a heap-based buffer overflow while reading memory, which can result in a denial of service (DoS). The CVSS v3.1 score of 5.4 (medium severity) indicates potential limited information disclosure (CWE-120) as well, but the primary impact described is a crash or hang of the application [1].
Mitigation
The vulnerability has been patched in a commit identified as e95f3064d846e4606276fff111e0f97df1576a04 in the GPAC repository. Users should update to a version that includes this fix or apply the patch. No other workarounds are mentioned in the available reference. The product is open-source and widely used; no evidence of exploitation in the wild is provided [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the declared PSSH payload size before copying it into a fixed-size heap buffer in gf_cenc_set_pssh."
Attack vector
An attacker supplies a crafted MP4 file containing malformed Protection System Specific Header (PSSH) data. The function `gf_cenc_set_pssh()` does not sufficiently validate the declared PSSH payload size before copying it into a fixed-size heap buffer, leading to a heap-buffer-overflow READ of size 2097152016 at `memcpy()`. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].
Affected code
The heap buffer overflow occurs in `gf_cenc_set_pssh()` at `isomedia/drm_sample.c:982` and is reached via `mp4_mux_cenc_insert_pssh()` in `filters/mux_isom.c:4338` when MP4Box performs DASH/CENC processing on a crafted MP4 file. The vulnerability is present in GPAC/MP4Box prior to commit `e95f3064d846e4606276fff111e0f97df1576a04`.
What the fix does
The fix commit `e95f3064d846e4606276fff111e0f97df1576a04` addresses the missing validation of the PSSH payload size before the `memcpy()` call in `gf_cenc_set_pssh()`. By adding a proper size check, the patch prevents copying attacker-controlled data beyond the bounds of the allocated heap buffer, eliminating both the heap-buffer-overflow read and the potential for adjacent heap memory disclosure.
Preconditions
- inputAttacker must supply a crafted MP4 file with malformed PSSH data
- configVictim must process the file with MP4Box using DASH/CENC options (e.g., -dash 10000)
Reproduction
Build GPAC with AddressSanitizer: `CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"`. Run `./MP4Box -dash 10000 ./16_poc.mp4`. The PoC file is available at https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/16/16_poc.mp4 [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.