VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2025-55647

CVE-2025-55647

Description

GPAC MP4Box v2.4 is vulnerable to a denial of service via crafted MP4 files with oversized PSSH metadata, causing an out-of-memory condition.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GPAC MP4Box v2.4 is vulnerable to a denial of service via crafted MP4 files with oversized PSSH metadata, causing an out-of-memory condition.

Vulnerability

The vulnerability is an integer overflow (CWE-190) in the mp4_mux_cenc_insert_pssh function in filters/mux_isom.c of GPAC MP4Box, version 2.4. The function fails to properly validate size fields such as kid_count and dataSize from PSSH metadata before using them in a buffer size calculation. An attacker can supply a crafted MP4 file with oversized PSSH metadata to trigger the flaw. Affected versions are GPAC prior to the fix commit e95f3064d846e4606276fff111e0f97df1576a04 [1].

Exploitation

An attacker needs to craft a malicious MP4 file containing malformed PSSH metadata with large size fields. The attacker must deliver this file to a user or service that processes it with MP4Box (e.g., by tricking a user into opening the file or by serving it to a server that automatically processes uploaded MP4 files). No special network position or authentication is required beyond the ability to provide the crafted file. The MP4Box application will attempt to process the file, and the integer overflow causes an out-of-memory condition leading to a denial of service [1].

Impact

A successful exploit causes a denial of service (DoS) due to an out-of-memory crash in MP4Box. The attacker can cause the application to terminate unexpectedly, disrupting availability. The CVSS v3.1 score is 4.3 (medium) with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating low availability impact and requiring user interaction [1]. There is no impact on confidentiality or integrity.

Mitigation

The vulnerability was fixed in a commit (e95f3064d846e4606276fff111e0f97df1576a04) to the GPAC repository [1]. Users should update to a version of GPAC that includes this commit or later. If an update cannot be applied, avoid processing untrusted MP4 files with MP4Box as a workaround. No other mitigations are mentioned in the references.

References
  1. security - CVE-2025-55647: Integer Overflow in GPAC/MP4Box via mp4_mux_cenc_insert_pssh on crafted MP4 with oversized PSSH metadata

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Integer overflow in buffer size calculation due to insufficient validation of PSSH size fields (kid_count/dataSize) in mp4_mux_cenc_insert_pssh."

Attack vector

An attacker supplies a crafted MP4 file containing malformed Protection System Specific Header (PSSH) metadata with oversized `kid_count` or `dataSize` fields [ref_id=1]. When MP4Box processes this file with DASH segmentation (`-dash 10000`), the unchecked size fields overflow during a buffer size computation, causing `realloc()` to request an enormous allocation that exhausts memory [ref_id=1]. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].

Affected code

The vulnerability resides in `mp4_mux_cenc_insert_pssh()` in `filters/mux_isom.c`. The function fails to validate PSSH-related size fields (`kid_count`/`dataSize`) before using them in a buffer size calculation, leading to an integer overflow that causes `realloc()` to attempt an enormous allocation (0xe40000100 bytes) at line 4326, triggered via `mp4_mux_start_fragment()` at line 6396.

What the fix does

The advisory does not include a patch diff, but states the fix is in commit `e95f3064d846e4606276fff111e0f97df1576a04` [ref_id=1]. The remediation must add validation of PSSH size fields (`kid_count`, `dataSize`) before they are used in buffer size arithmetic, preventing the integer overflow that leads to the out-of-memory condition. Without such checks, an attacker can force `realloc()` to allocate an enormous amount of memory, causing a denial of service.

Preconditions

  • inputAttacker must supply a crafted MP4 file with malformed PSSH metadata containing oversized kid_count or dataSize fields.
  • configMP4Box must be invoked with DASH segmentation (e.g., `-dash 10000`).
  • authNo authentication or special privileges required beyond ability to provide the crafted file.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.