NULL Pointer Dereference Vulnerability in GPAC MP4Box Software
CVE-2025-55657

7.5HIGH

Key Information:

Vendor: GPAC
Status: MP4Box
Vendor: CVE Published:; 9 June 2026

What is CVE-2025-55657?

The vulnerability in GPAC MP4Box v2.4 arises from a NULL pointer dereference within the gf_odf_vvc_cfg_write_bs function located in odf/descriptors.c. Attackers can exploit this issue by crafting a malicious MP4 file that, when processed by the software, can trigger a Denial of Service (DoS). This may render the affected application unresponsive, affecting users attempting to play or handle MP4 content. Timely awareness and updates are crucial to mitigate the risks associated with this vulnerability.

References

https://infosec.exchange/@sigdevel/116710754169365223

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Aug 13, 2025

CVE-2025-55657 Data

JSON