CVE-2025-55661
Description
Heap buffer overflow in GPAC MP4Box v2.4 via a crafted MP4 file with a malformed Opus packet leads to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in GPAC MP4Box v2.4 via a crafted MP4 file with a malformed Opus packet leads to denial of service.
Vulnerability
A heap-buffer-overflow vulnerability exists in the Opus audio stream parser component of GPAC MP4Box version 2.4. The flaw resides in the gf_opus_parse_packet_header() function within media_tools/av_parsers.c. When processing a specially crafted MP4 file containing a malformed Opus audio packet (e.g., an invalid TOC code 3 length), the function fails to sufficiently validate the input buffer size before reading packet header fields, resulting in a heap buffer overflow. The issue affects GPAC versions prior to the fix commit ff8249a407685d00ceb5f4d2a798b9cad195140e. [1]
Exploitation
An attacker must supply a crafted MP4 file with a malformed Opus packet. The user must open or process the file with MP4Box (e.g., via MP4Box -info or similar command). No prior authentication or special network position is required beyond delivering the file to the target. The attack vector is local, but the file can be delivered remotely (e.g., via email, download). The vulnerability is triggered during the parsing of the Opus packet when gf_opus_parse_packet_header() is called. [1]
Impact
Successful exploitation can cause a denial of service (DoS) via a heap buffer overflow, as reported by AddressSanitizer. The CVSS v3.1 base score is 5.4 (Medium), with low impact to confidentiality and availability. No code execution has been demonstrated or claimed in the available references. [1]
Mitigation
The vulnerability is fixed in GPAC commit ff8249a407685d00ceb5f4d2a798b9cad195140e. Users should update GPAC to a version containing this fix. No workarounds are documented. [1]
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input buffer size validation in gf_opus_parse_packet_header allows a heap-buffer-overflow read when processing a malformed Opus packet."
Attack vector
An attacker supplies a crafted MP4 file with a malformed Opus packet (e.g., an invalid TOC code 3 length). When MP4Box dumps the file (e.g., `./MP4Box 9_poc.mp4 -dxml -out /dev/null`), `gf_opus_parse_packet_header()` does not sufficiently validate the input buffer size before reading Opus packet header fields, causing a heap-buffer-overflow read of size 1 beyond a 3-byte heap region [ref_id=1]. No authentication or special privileges are required beyond the ability to provide the crafted file [ref_id=1].
Affected code
The vulnerability resides in `gf_opus_parse_packet_header()` in `media_tools/av_parsers.c` at line 11326. It is reached via `gf_inspect_dump_opus_internal()` in `filters/inspect.c` and `dump_isom_opus()` in `applications/mp4box/filedump.c` when MP4Box processes a crafted MP4 file containing a malformed Opus audio packet [ref_id=1].
What the fix does
The advisory references a fix commit (`ff8249a407685d00ceb5f4d2a798b9cad195140e`) but does not include the patch diff. Based on the description, the fix likely adds bounds checking in `gf_opus_parse_packet_header()` to validate that the input buffer is large enough before reading Opus packet header fields, preventing the out-of-bounds read [ref_id=1].
Preconditions
- inputAttacker must supply a crafted MP4 file with a malformed Opus audio packet
- configVictim must run MP4Box with the crafted file (e.g., dump to XML)
Reproduction
Reproduction steps from the advisory: build GPAC with `CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"`, then run `./MP4Box 9_poc.mp4 -dxml -out /dev/null`. The PoC file is available at https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/9/9_poc.mp4 [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.