CVE-2025-55660
Description
A stack buffer overflow in GPAC MP4Box's gf_opus_read_length function allows denial of service via a crafted MP4 file with a malformed Opus packet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer overflow in GPAC MP4Box's gf_opus_read_length function allows denial of service via a crafted MP4 file with a malformed Opus packet.
Vulnerability
A stack-based buffer overflow exists in the gf_opus_read_length function within media_tools/av_parsers.c of GPAC MP4Box v2.4. The function fails to properly validate the size of a malformed, non-self-delimited Opus packet (e.g., an invalid odd packet length) before writing the computed length back into the packet header structure. This vulnerability affects GPAC versions prior to the fix commit ff8249a407685d00ceb5f4d2a798b9cad195140e [1].
Exploitation
An attacker can exploit this vulnerability by supplying a crafted MP4 file containing a malformed Opus packet. The victim must use MP4Box to dump or process the file. No authentication is required, but user interaction (opening the file) is necessary. When MP4Box processes the crafted file, the insufficient validation in gf_opus_read_length triggers a stack buffer overflow, leading to a crash [1].
Impact
Successful exploitation results in a denial of service (DoS) due to application crash. The CVSS v3 score of 5.5 (Medium) indicates a moderate availability impact, with no confidentiality or integrity compromise [1].
Mitigation
The vulnerability is fixed in commit ff8249a407685d00ceb5f4d2a798b9cad195140e. Users should update GPAC to a version containing this fix. No workarounds are documented, and the CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of Opus packet size in gf_opus_read_length() allows a stack-buffer-overflow when writing the computed length into the packet header structure."
Attack vector
An attacker supplies a crafted MP4 file containing a malformed, non-self-delimited Opus packet (e.g., an invalid odd packet length). When MP4Box processes this file (e.g., via `-add` and `-dxml` flags), `gf_opus_read_length()` fails to sufficiently validate the Opus packet size before writing the computed length back into the packet header structure, causing a stack-buffer-overflow [CWE-121] [ref_id=1]. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].
Affected code
The vulnerability resides in `gf_opus_read_length()` within `media_tools/av_parsers.c` (line 11140). The function is called from `gf_opus_parse_packet_header()` which is reached via `gf_inspect_dump_opus_internal()` in `filters/inspect.c` when MP4Box dumps a crafted Opus track. The stack object `pckh` allocated in `gf_inspect_dump_opus_internal()` is overflowed by a WRITE of size 2 at offset 568 [ref_id=1].
What the fix does
The advisory references a fix commit `ff8249a407685d00ceb5f4d2a798b9cad195140e` but does not include the patch diff. Based on the description, the fix likely adds bounds checking in `gf_opus_read_length()` to validate the Opus packet size before writing to the stack buffer, preventing the overflow. Without the patch text, the exact changes cannot be detailed [ref_id=1].
Preconditions
- inputAttacker must provide a crafted MP4 file with a malformed, non-self-delimited Opus packet.
- configVictim must run MP4Box (e.g., `-add` and `-dxml` flags) on the crafted file.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.