PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-70116 GPAC CVE debrief

A NULL pointer dereference vulnerability exists in GPAC MP4Box when parsing malformed MP4 files. The issue occurs in `gf_media_map_esd` within the media tools ISOM utilities, where an unknown or invalid `stsd` (sample description) entry can result in missing descriptor fields—specifically codec, MIME type, or profile strings. When these fields are absent, the function subsequently calls `strlen()` on a NULL pointer, triggering a crash detectable via AddressSanitizer (ASan SEGV). This vulnerability is triggered by truncated or malformed MP4 files and represents a denial-of-service condition through application crash. The vulnerability was reported to the GPAC project via GitHub issue and disclosed publicly on infosec.exchange.

Vendor
GPAC
Product
MP4Box
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-30
Advisory published
2026-05-27
Advisory updated
2026-05-30

Who should care

Organizations using GPAC MP4Box for media processing, content delivery networks handling user-uploaded MP4 files, multimedia application developers, and security teams monitoring for denial-of-service vectors in media parsing pipelines.

Technical summary

The vulnerability stems from insufficient NULL checks in `gf_media_map_esd` (media_tools/isom_tools.c:1364) when handling sample description entries. An attacker can craft a truncated MP4 file with an invalid `stsd` entry that lacks expected descriptor strings. The code path attempts to determine string length via `strlen()` on these unpopulated fields, resulting in a segmentation fault. This is a classic NULL pointer dereference (CWE-476) leading to denial of service. The crash is reproducible under AddressSanitizer, confirming the memory safety violation. No evidence of code execution or information disclosure has been identified.

Defensive priority

medium

Recommended defensive actions

  • Update GPAC/MP4Box to a patched version when available from the GPAC project
  • Implement input validation to reject truncated or malformed MP4 files before processing
  • Deploy application sandboxing to contain crashes from malformed media processing
  • Monitor GPAC GitHub repository for security advisories and commit fixes
  • Consider using memory-safe media parsing alternatives where feasible

Evidence notes

Vulnerability disclosed via GPAC GitHub issue and social media disclosure on infosec.exchange. No CISA KEV entry. CVE published 2026-05-27 with 'Received' status in NVD.

Official resources

public