CVE-2025-55649
Description
A NULL pointer dereference in GPAC MP4Box v2.4 allows denial of service via a crafted MP4 file with corrupted ESD data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in GPAC MP4Box v2.4 allows denial of service via a crafted MP4 file with corrupted ESD data.
Vulnerability
A NULL pointer dereference vulnerability exists in the gf_media_map_esd function in media_tools/isom_tools.c of GPAC MP4Box v2.4. When processing a crafted MP4 file containing corrupted Elementary Stream Descriptor (ESD) data, the function calls strlen() on esd->URLString without first checking that the pointer is non-NULL, leading to a read access violation [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted MP4 file to the victim, who must then open or process the file with MP4Box v2.4 (e.g., via fragmentation). No authentication or special network position is required, only user interaction (the victim opening the file) [1].
Impact
Successful exploitation causes a denial of service (DoS) via application crash due to a segmentation fault (SEGV). The vulnerability does not lead to information disclosure, privilege escalation, or remote code execution. The CVSS v3.1 score is 4.3 (Medium) with no impact to confidentiality or integrity [1].
Mitigation
A fix is available in GPAC commit 09e7063ed0a13b4cee9a180a56dcc21e9f9ade07. Users should update to a version of GPAC/MP4Box that includes this commit. No workaround is documented in the provided reference [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NULL check on esd->URLString before calling strlen() in gf_media_map_esd() leads to a NULL pointer dereference."
Attack vector
An attacker supplies a crafted MP4 file containing corrupted Elementary Stream Descriptor (ESD) data. When MP4Box processes this file with the `-frag` command, `gf_media_map_esd()` calls `strlen()` on `esd->URLString` without a NULL check [CWE-476]. This causes a SEGV due to a READ memory access at address 0x0, resulting in a denial of service. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].
Affected code
The vulnerability resides in `gf_media_map_esd()` in `media_tools/isom_tools.c` (line 1359). The function calls `strlen()` on `esd->URLString` without first checking that the pointer is non-NULL, leading to a NULL pointer dereference. The crash is reached via `isor_declare_track()` during MP4Box fragmentation setup.
What the fix does
The fix commit (09e7063ed0a13b4cee9a180a56dcc21e9f9ade07) adds a NULL check on `esd->URLString` before calling `strlen()` in `gf_media_map_esd()`. This prevents the NULL pointer dereference when processing crafted MP4 files with corrupted ESD data. The patch ensures that if `URLString` is NULL, the function handles it safely rather than passing it to `strlen()`.
Preconditions
- inputThe attacker must provide a crafted MP4 file with corrupted Elementary Stream Descriptor (ESD) data that causes esd->URLString to be NULL.
- configThe victim must run MP4Box with the `-frag` command on the crafted file.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.