VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026

CVE-2025-70116

CVE-2025-70116

Description

A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in GPAC MP4Box's `gf_media_map_esd` function causes a crash when parsing specially truncated MP4 files with invalid `stsd` entries.

Vulnerability

The vulnerability resides in media_tools/isom_tools.c at line 1364 in the function gf_media_map_esd. When MP4Box processes a truncated MP4 file containing an unknown or invalid stsd entry, descriptor fields (e.g., codec, MIME, profile strings) may be missing, resulting in a NULL pointer. The function then calls strlen() on this NULL pointer, causing a segmentation fault. Affected versions include all GPAC MP4Box builds prior to a fix. The issue is reported in [1] and a proof-of-concept file is available [2].

Exploitation

An attacker can craft a malicious MP4 file with a truncated or malformed stsd box that leads to missing descriptor fields. No authentication is required; the victim must open the file with MP4Box (e.g., using the -split-size option). The PoC command is ./MP4Box -split-size 8000 <poc_file> [1]. The crash occurs during parsing without any user interaction beyond opening the file.

Impact

Successful exploitation results in a denial of service (DoS) via application crash (SEGV). The crash is confirmed by AddressSanitizer (ASan) output. No code execution or data exfiltration is reported; the impact is limited to availability.

Mitigation

As of the publication date (2026-05-27), no official patch has been released. The GPAC project has acknowledged the issue [1]. Users should avoid processing untrusted MP4 files with MP4Box until a fix is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Workaround: use alternative media processing tools or apply input validation.

References
  1. [security] media_tools/isom_tools.c:1364 SEGV in gf_media_map_esd
  2. pocs/res/gpac/MP4Box/68/68_gf_media_map_esd_media_tools_isom_tools_c_1364 at main · sigdevel/pocs

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Gpac/Gpacreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL-pointer check in gf_media_map_esd when an unknown/invalid stsd entry leaves descriptor fields (codec/mime/profile strings) uninitialized, and strlen() is called on a NULL pointer."

Attack vector

An attacker provides a crafted, truncated MP4 file containing an unknown or invalid stsd entry that causes descriptor fields (e.g., codec, mime, or profile strings) to remain NULL [ref_id=1]. When MP4Box processes this file (e.g., via the `-split-size` command), the function `gf_media_map_esd` in `media_tools/isom_tools.c` at line 1364 calls `strlen()` on the NULL pointer, resulting in a segmentation fault [ref_id=1]. No authentication or special privileges are required; the attacker only needs to deliver the malformed file to a victim who runs MP4Box on it.

Affected code

The vulnerable code is in `media_tools/isom_tools.c` at line 1364, in the function `gf_media_map_esd` [ref_id=1]. The crash occurs when an unknown/invalid stsd entry results in missing descriptor fields (codec, mime, or profile strings) that are subsequently passed to `strlen()` without a NULL check [ref_id=1].

What the fix does

The advisory does not include a published patch or code diff [ref_id=1]. The recommended remediation is to add a NULL-pointer check in `gf_media_map_esd` before calling `strlen()` on descriptor fields that may be uninitialized when an unknown/invalid stsd entry is encountered [ref_id=1]. Until a fix is released, users should avoid processing untrusted MP4 files with MP4Box.

Preconditions

  • inputVictim must run MP4Box (e.g., with -split-size) on a crafted, truncated MP4 file
  • inputThe MP4 file must contain an unknown/invalid stsd entry that leaves descriptor fields uninitialized

Reproduction

Run `./MP4Box -split-size 8000 68_gf_media_map_esd_media_tools_isom_tools_c_1364` on the crafted input file [ref_id=1]. The tool will crash with a NULL-pointer dereference in `gf_media_map_esd` at line 1364 of `media_tools/isom_tools.c` [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.