CVE-2025-55663
Description
A NULL pointer dereference in GPAC MP4Box v2.4's Track_SetStreamDescriptor function allows denial of service via a crafted MP4 file with an unknown svcC box.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in GPAC MP4Box v2.4's Track_SetStreamDescriptor function allows denial of service via a crafted MP4 file with an unknown svcC box.
Vulnerability
A NULL pointer dereference vulnerability exists in GPAC MP4Box v2.4, specifically in the Track_SetStreamDescriptor function located in isomedia/track.c. When processing a crafted MP4 file containing an unknown svcC box inside an av01 parent box, the unsupported-box handling path can leave the relevant sample entry pointer uninitialized or invalid. The affected versions are those prior to commit 15a4ac2dff38cdbb8b43e7c84fb1595ee80d81ac [1].
Exploitation
An attacker can trigger this vulnerability by supplying a specially crafted MP4 file to MP4Box. No authentication is required, but user interaction is necessary as the victim must open the malicious file using MP4Box. The attacker does not need any special network position or privileges; the file can be delivered via email, download, or other means. The exploit sequence involves MP4Box importing the crafted MP4, which hits the unsupported svcC box path, causing the sample entry pointer to be NULL, and then calling Track_SetStreamDescriptor which dereferences the NULL pointer, leading to a segmentation violation [1].
Impact
Successful exploitation results in a denial of service (DoS). The segmentation violation causes MP4Box to crash, potentially disrupting workflows that depend on MP4Box for media processing. The impact is limited to availability; no data confidentiality or integrity is compromised [1].
Mitigation
The fix is implemented in commit 15a4ac2dff38cdbb8b43e7c84fb1595ee80d81ac [1]. Users should update GPAC MP4Box to a version that includes this commit or later. No workarounds are documented. If an update is not possible, avoid processing untrusted MP4 files with MP4Box.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"NULL pointer dereference in Track_SetStreamDescriptor due to uninitialized sample entry pointer when processing a crafted MP4 with an unknown svcC box inside an av01 parent box."
Attack vector
An attacker supplies a crafted MP4 file with an unknown `svcC` box nested inside an `av01` parent box. When MP4Box imports this file (e.g., via `MP4Box -add crafted.mp4 -new /dev/null -ab 1024`), the unsupported-box handling path leaves the relevant sample entry pointer uninitialized. `Track_SetStreamDescriptor()` later dereferences this pointer without validation, causing a NULL pointer dereference (CWE-476) and a segmentation violation. No authentication or special privileges are required beyond the ability to provide the crafted file.
Affected code
The vulnerability resides in `Track_SetStreamDescriptor()` in `isomedia/track.c` at line 1677, reached via `gf_isom_change_mpeg4_description()` and `gf_media_update_bitrate_ex()` in `media_tools/media_import.c`. The crash occurs when MP4Box processes a crafted MP4 file containing an unknown `svcC` box inside an `av01` parent box, leaving the sample entry pointer uninitialized or invalid.
What the fix does
The fix commit `15a4ac2dff38cdbb8b43e7c84fb1595ee80d81ac` addresses the issue by adding a NULL check on the sample entry pointer in `Track_SetStreamDescriptor()` before dereferencing it. This prevents the segmentation violation when an unsupported box (like the unknown `svcC` box inside `av01`) leaves the pointer uninitialized. The patch ensures that if the pointer is invalid, the function returns early without performing the bitrate update that triggered the crash.
Preconditions
- inputThe attacker must supply a crafted MP4 file containing an unknown svcC box inside an av01 parent box.
- configThe victim must run MP4Box with the crafted file as input (e.g., via the -add option).
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.