PatchSiren cyber security CVE debrief
CVE-2025-60481 GPAC Project CVE debrief
A NULL pointer dereference vulnerability exists in the gf_odf_ac4_cfg_dsi_v1 function within /odf/descriptors.c in GPAC Project/MP4Box versions prior to 26.02.0. The flaw can be triggered when processing a crafted AC4 audio file, resulting in a Denial of Service (DoS) condition. The vulnerability was addressed in a commit to the GPAC repository.
- Vendor
- GPAC Project
- Product
- MP4Box
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations using GPAC/MP4Box for media processing, particularly those handling AC4 audio files from untrusted sources, should prioritize patching.
Technical summary
The vulnerability is a NULL pointer dereference located in the gf_odf_ac4_cfg_dsi_v1 function in /odf/descriptors.c. When MP4Box or other GPAC-based tools process a malformed AC4 audio file, the dereference causes a crash, leading to Denial of Service. The issue affects versions before 26.02.0.
Defensive priority
medium
Recommended defensive actions
- Upgrade GPAC Project/MP4Box to version 26.02.0 or later to obtain the fix for this vulnerability.
- Restrict processing of untrusted AC4 audio files until patching is complete.
- Monitor for anomalous crashes in MP4Box or applications using libgpac when handling AC4 content.
Evidence notes
The CVE description identifies the affected function and file path. A commit reference indicates a fix was applied. An issue report and proof-of-concept documentation are also cited in source references.
Official resources
2026-06-01