VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2025-60495

CVE-2025-60495

Description

A segmentation violation in GPAC MP4Box's gf_media_get_color_info function allows attackers to cause a Denial of Service via a crafted MP4 file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A segmentation violation in GPAC MP4Box's gf_media_get_color_info function allows attackers to cause a Denial of Service via a crafted MP4 file.

Vulnerability

A segmentation violation exists in the gf_media_get_color_info function within media_tools/isom_tools.c of GPAC Project/MP4Box versions prior to 26.02. The vulnerability is triggered when the application processes a malformed MP4 file containing inconsistent video sample entries, such as a v210 entry that incorrectly includes an avcC AVC Decoder Configuration Box, leading to a null pointer dereference [1].

Exploitation

An attacker can trigger this vulnerability by providing a specially crafted MP4 file to the MP4Box utility. No specific network position or authentication is required, as the crash occurs during the local parsing of the file structure [1]. The vulnerability is reachable through standard file processing workflows, such as using the -split-size command-line argument [1].

Impact

Successful exploitation of this vulnerability results in a crash of the MP4Box process, leading to a Denial of Service (DoS) condition [1]. The issue is caused by a memory access violation, specifically a read access to the zero page, which terminates the application execution [1].

Mitigation

This vulnerability is addressed in GPAC Project/MP4Box version 26.02 [1]. Users are advised to update to the latest version to incorporate the fix, which adds validation checks for configuration boxes to prevent null pointer dereferences [3].

References
  1. [security] media_tools/isom_tools.c:979 SEGV in gf_media_get_color_info
  2. Fixed #3335 · gpac/gpac@9beed3c

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
9beed3c0a2f3

Fixed #3335

https://github.com/gpac/gpacJean Le FeuvreSep 9, 2025via nvd-ref
commit
1 file changed · +2 0
  • src/media_tools/isom_tools.c+2 0 modified
    @@ -967,6 +967,7 @@ GF_Err gf_media_get_color_info(GF_ISOFile *file, u32 track, u32 sampleDescriptio
 	) {
 		AVCState *avc_state;
 		GF_AVCConfig *avcc = gf_isom_avc_config_get(file, track, sampleDescriptionIndex);
+		if (!avcc) return GF_NOT_FOUND;
 		u32 i;
 		s32 idx;
 		GF_NALUFFParam *slc;
@@ -1005,6 +1006,7 @@ GF_Err gf_media_get_color_info(GF_ISOFile *file, u32 track, u32 sampleDescriptio
 	) {
 		HEVCState *hvc_state;
 		GF_HEVCConfig *hvcc = gf_isom_hevc_config_get(file, track, sampleDescriptionIndex);
+		if (!hvcc) return GF_NOT_FOUND;
 		u32 i;
 		GF_NALUFFParamArray *pa;

Vulnerability mechanics

Root cause

"Missing input validation in gf_media_get_color_info allows a NULL-pointer dereference when a video sample entry contains an inconsistent box type."

Attack vector

An attacker supplies a crafted MP4 file where a video sample entry (such as `v210`) incorrectly contains an `avcC` AVC Decoder Configuration Box, creating an inconsistency. When MP4Box processes this file (e.g., with `-split-size 8000`), the `gf_media_get_color_info` function dereferences a NULL or invalid pointer, causing a segmentation violation. The attack requires no authentication and is triggered by file ingestion over the local filesystem or any input channel that delivers the crafted file to MP4Box. [ref_id=1]

Affected code

The vulnerability is in the `gf_media_get_color_info` function in `media_tools/isom_tools.c` at line 979. The crash occurs when MP4Box processes a crafted MP4 file where a video sample entry (e.g., `v210`) is inconsistent with its contained boxes (e.g., an `avcC` box inside a `v210` entry). The call chain leads through `mp4_mux_setup_pid` in `filters/mux_isom.c` and `split_isomedia_file` in `applications/mp4box/fileimport.c`.

What the fix does

The patch is not included in the bundle. Based on the advisory [ref_id=1], the fix should add a NULL-pointer check or input validation in `gf_media_get_color_info` at `media_tools/isom_tools.c:979` to handle the case where a video sample entry contains an unexpected box type (e.g., `avcC` inside `v210`). Without the patch, the function assumes the box structure is consistent and dereferences a pointer that is NULL or invalid.

Preconditions

  • inputThe attacker must provide a crafted MP4 file where a video sample entry (e.g., v210) contains an inconsistent box (e.g., avcC).
  • configThe victim must run MP4Box (e.g., with -split-size 8000) on the crafted file.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.