CVE-2025-55652
Description
A heap buffer overflow in GPAC MP4Box v2.4's gf_isom_vp_config_new function allows denial of service via a crafted MP4 file with malformed VP codec configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in GPAC MP4Box v2.4's gf_isom_vp_config_new function allows denial of service via a crafted MP4 file with malformed VP codec configuration.
Vulnerability
A heap-based buffer overflow exists in the gf_isom_vp_config_new function in isomedia/avc_ext.c of GPAC MP4Box version 2.4. When processing a crafted MP4 file containing malformed VP codec configuration data in the stsd box (including an unknown D0ncv box type), the function allocates an undersized 88-byte buffer without proper boundary validation, leading to a heap overflow. Affected versions are GPAC prior to commit 74fecde32cd477ab097f3e6db55a32b259f3313d [1].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted MP4 file to a victim running MP4Box, typically during DASH segmentation. No authentication is required, but user interaction is needed (the victim must open the file with MP4Box). The attack vector is network-based (remote) as the file can be delivered via download or other means [1].
Impact
Successful exploitation results in a denial of service (DoS) due to the heap buffer overflow, potentially causing application crash or memory corruption. The CVSS v3.1 score is 4.3 (Medium) with no impact on confidentiality or integrity, only availability [1]. The official CVSS v3 score is 5.5 (Medium) as per the CVE header.
Mitigation
The fix is available in commit 74fecde32cd477ab097f3e6db55a32b259f3313d in the GPAC repository. Users should update to a version containing this commit or later. No workaround is mentioned in the reference. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing buffer boundary validation in gf_isom_vp_config_new allows writing VP/NALU configuration data beyond an undersized 88-byte heap allocation."
Attack vector
An attacker supplies a crafted MP4 file containing malformed VP codec configuration data in the `stsd` box, including an unknown `D0ncv` box type [ref_id=1]. When MP4Box runs DASH segmentation on this file, `gf_isom_vp_config_new()` does not validate buffer boundaries, leading to a heap-buffer-overflow WRITE of size 8 at 136 bytes after the 88-byte heap region [ref_id=1]. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].
Affected code
The heap buffer overflow occurs in `gf_isom_vp_config_new()` in `isomedia/avc_ext.c` (line 1962). The function allocates an undersized 88-byte box structure and then writes VP/NALU configuration data beyond it, triggered via `mp4_mux_setup_pid()` in `filters/mux_isom.c` during DASH segmentation.
What the fix does
The advisory does not include a patch diff, but references a fix commit `74fecde32cd477ab097f3e6db55a32b259f3313d` [ref_id=1]. The fix must add proper buffer boundary validation in `gf_isom_vp_config_new()` to ensure the allocated box structure is large enough for the VP/NALU configuration data being written, preventing the heap-buffer-overflow.
Preconditions
- inputAttacker must provide a crafted MP4 file with malformed VP codec configuration data in the stsd box.
- configVictim must run MP4Box with the `-dash` option on the crafted file.
Reproduction
Build GPAC with `CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"`, then run `./MP4Box -dash 10000 ./18_poc.mp4` [ref_id=1]. The PoC file is available at https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/18/18_poc.mp4 [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.